lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add 0.4.3.md syntax highlighting

Browse Source
This commit is contained in:
vCaesar
2016-12-18 15:18:40 +08:00
parent 9d6ad88a42
commit eb0f43cf00
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
zh/04.3.md
View File

@@ -14,11 +14,12 @@
我们看4.1小节的例子 我们看4.1小节的例子
```Go
fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) //输出到服务器端 fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) //输出到服务器端
fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password"))) fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password")))
template.HTMLEscape(w, []byte(r.Form.Get("username"))) //输出到客户端 template.HTMLEscape(w, []byte(r.Form.Get("username"))) //输出到客户端
```
如果我们输入的username是`<script>alert()</script>`,那么我们可以在浏览器上面看到输出如下所示: 如果我们输入的username是`<script>alert()</script>`,那么我们可以在浏览器上面看到输出如下所示:
![](images/4.3.escape.png?raw=true) ![](images/4.3.escape.png?raw=true)
@@ -26,23 +27,25 @@
图4.3 Javascript过滤之后的输出 图4.3 Javascript过滤之后的输出
Go的html/template包默认帮你过滤了html标签但是有时候你只想要输出这个`<script>alert()</script>`看起来正常的信息该怎么处理请使用text/template。请看下面的例子 Go的html/template包默认帮你过滤了html标签但是有时候你只想要输出这个`<script>alert()</script>`看起来正常的信息该怎么处理请使用text/template。请看下面的例子
```Go
import "text/template" import "text/template"
... ...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>") err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
```
输出 输出
Hello, <script>alert('you have been pwned')</script>! Hello, <script>alert('you have been pwned')</script>!
或者使用template.HTML类型 或者使用template.HTML类型
```Go
import "html/template" import "html/template"
... ...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", template.HTML("<script>alert('you have been pwned')</script>")) err = t.ExecuteTemplate(out, "T", template.HTML("<script>alert('you have been pwned')</script>"))
```
输出 输出
Hello, <script>alert('you have been pwned')</script>! Hello, <script>alert('you have been pwned')</script>!
@@ -50,12 +53,13 @@ Go的html/template包默认帮你过滤了html标签但是有时候你只想
转换成`template.HTML`后,变量的内容也不会被转义 转换成`template.HTML`后,变量的内容也不会被转义
转义的例子: 转义的例子:
```Go
import "html/template" import "html/template"
... ...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>") err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
```
转义之后的输出: 转义之后的输出:
Hello, &lt;script&gt;alert(&#39;you have been pwned&#39;)&lt;/script&gt;! Hello, &lt;script&gt;alert(&#39;you have been pwned&#39;)&lt;/script&gt;!