Why am I seeing ZgotmplZ in my Go HTML template output?

Question

When I\'m calling a Go template function to output HTML, it displays ZgotmplZ.

Sample code:

http://play.golang.org/p/tfuJa_pFkm

Answer 1

package main

import (
    "html/template"
    "os"
)

type T struct {
    HTML template.HTML
    ATTR template.HTMLAttr
    URL  template.URL
    JS   template.JS
    CSS  template.CSS
}

func main() {

    data := T{
        HTML: `<div>test div</div>`,
        ATTR: `selected="selected"`,
        URL:  `https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg`,
        CSS:  `font-size: 15px`,
        JS:   `console.log("hello world")`,
    }

    template.Must(template.New("Template").Parse(`
        {{.HTML}}
        <option {{.ATTR}} style="{{.CSS}}">test</option>
        <script>{{.JS}}</script>
        <img src="{{.URL}}">
    `)).Execute(os.Stdout, data)
}

output

<div>test div</div>
<option selected="selected" style="font-size: 15px">test</option>
<script>console.log("hello world")</script>
<img src="https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg">

playground Example

Answer 2

easiest way:

import "html/template"
yourhref = template.URL(yourhref)

Answer 3

I had similar problem with <img src="{{myfunction}}"> where myfunction return encoded image.

Finally I solved it when instead of string function return template.URL(mystring).

Answer 4

You should wrap the string in an HTMLAttr, which was designed for text that gets injected in between angle brackets. Per the documentation:

https://golang.org/pkg/html/template/#HTMLAttr

HTMLAttr encapsulates an HTML attribute from a trusted source, for example,  dir="ltr".

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type HTMLAttr string

Answer 5

"ZgotmplZ" is a special value that indicates that unsafe content reached a CSS or URL context at runtime. The output of the example will be:

 <img src="#ZgotmplZ">

You can add a safe and attr function to the template funcMap:

package main

import (
    "html/template"
    "os"
)

func main() {
    funcMap := template.FuncMap{
        "attr":func(s string) template.HTMLAttr{
            return template.HTMLAttr(s)
        },
        "safe": func(s string) template.HTML {
            return template.HTML(s)
         },
    }

    template.Must(template.New("Template").Funcs(funcMap).Parse(`
    <option {{  .attr |attr }} >test</option>
        {{.html|safe}}
     `)).Execute(os.Stdout,   map[string]string{"attr":`selected="selected"`,"html":`<option selected="selected">option</option>`})
}

The output will look like:

<option selected="selected" >test</option>
<option selected="selected">option</option>

You may want to define some other functions which can convert string to template.CSS, template.JS, template.JSStr, template.URL etc.

Answer 6

You are trying to output HTML in a place where template/html thinks is unsafe (for example, inside an HTML element, like this:

<option {{ printSelected }}>

I cannot find any way to convince it it is safe (including returning template.HTML instead of string); the only alternative I have found is to rewrite the template, in this example use a bool output instead:

<option {{ if printSelected }}selected{{ end }}>