Open
Description
Go的html/template包默认帮你过滤了html标签,但是有时候你只想要输出这个<script>alert()</script>看起来正常的信息,该怎么处理?请使用text/template。请看下面的例子:
import "text/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")改为如下代码可直接运行得到输出
import (
"text/template"
"os"
)
t, _ := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
t.ExecuteTemplate(os.Stdout, "T", "<script>alert('you have been pwned')</script>")Metadata
Metadata
Assignees
Labels
No labels