By default, the template engine does not use HTML encoding for all variable outputs, which means that if not handled properly by developers, there might be XSS vulnerabilities.

    No worries, the GoFrame framework has taken this into full consideration and provides developers with flexible configuration parameters to control whether to encode HTML content of variable outputs by default. This feature can be enabled/disabled via the AutoEncode configuration item or the SetAutoEncode method.

    Template Engine - XSS - 图1tip

    It is important to note that this feature does not affect the built-in function of include templates.

    Usage example:

    1. Configuration file
    1. [viewer]
    2.     delimiters  =  ["${", "}"]
    3.     autoencode  =  true
    1. Sample code
    1. package main
    3. import (
    4.     "context"
    5.     "fmt"
    6.     "github.com/gogf/gf/v2/frame/g"
    7. )
    9. func main() {
    10.     result, _ := g.View().ParseContent(context.TODO(), "Name: ${.name}", g.Map{
    11.         "name": "<script>alert('john');</script>",
    12.     })
    13.     fmt.Println(result)
    14. }
    1. Execution output
    1. Name: &lt;script&gt;alert(&#39;john&#39;);&lt;/script&gt;