[sentiental]

One thing that might snag web applications built with Go 1.8 is the change to the html/template library. If you ever need to include script templates in your HTML for usage by a Javascript template framework (in my case it was EJS), then you will need to be aware that html entities will be escaped in a way they were not in 1.7

Given the following literal:

<script type="text/javascript"> <div><%= something %></div> </script>

Go 1.8 will escape the EJS delimiter, breaking the template. I.e.:

<script type="text/javascript"> <div>&lt;%= something %></div> </script>

I selected EJS specifically because I wanted a templating library that didn't conflict with html/template's handlebars syntax. If you're in the same boat you'll want to find a template engine with non-html entity delimiters.

[grey-area]

Just had a look at your issue:

https://github.com/golang/go/issues/18569

I think your comment above isn't quite right. The problem you're seeing is that previously this was escaped as js (incorrect), and now it is escaped as text (correct). If you set your type as above to "text/javascript", it works in go 1.8:

<script type="text/javascript"> <div><%= something %></div> </script>

on 1.8 outputs:

<script type="text/javascript"> <div><%= something %></div> </script>

the one that fails is if you set the type to text/template or similar, which makes sense I guess as it is not js but might be annoying if your library uses <> as delimiters. Should work with text/template though if you mark those snippets as template.HTML type before including in an html/template.

[sentiental]

Thanks for looking! Yeah, I managed to typo the HN example - yes, my existing templates contain type="text/template", and I think that's how I filed the bug. It's possible for me to inject those templates with a variable instead of including them directly in the template, although that's a bit more invasive of a change than what I was doing before.

[bostand]

That's odd, that should not happen.

If it is true, please don't use the text template as a quick fix. A lot if security thinking went into the html template and without it you will have xss all over your code.

Edit: sure enough, it validates type against know values and I assume jsx is not over of them.

[chrisbroadfoot]

Shouldn't you use a different "type"? What you're putting in there is not JavaScript, it's something else.

Use <script type="text/ejs">?

[grey-area]

But it does become javascript so it needs the right script type. A way to work around this might be to do this:

<script type="<%= js_mime %>"> <div><%= something %>

then it won't be escaped presumably as js, but it will become js when it is run through the other templating system. sentiental have you tried that approach?