As it would get a little bit confusing if I'd reply to everyone with a single post, I'll answer in a single post. I hope you don't mind. At least now it's past 16:00 and not past 04:00 and I have a clearer mind. ^^
@Egon: I've read the whole article - yes, many coders sadly do forget about proper sanitization of user-input. As I'm pretty focused on security, I know about the implications of many design-approaches. Easy-to-use approaches are neat and in that certain case super useful - but sadly not for my use-case. ^^ @Andy Balholm: No, the "blog posts" are not HTML. Again: There is a reusable HTML snippet. That snippet can be filled with user content - which truly needs to be sanitized due to security concerns. If the snippet gets sent to the user via asynchronous request there's nothing more to do as JS takes the part with putting it into its place. But if the whole page has to be rendered, that snippet needs to be put into the page, before the whole page gets sent to the user. The other way would be to leave the complete rendering to the user browser which comes with its very own disadvantages (i.E. no scripting available, etc.). I thought that the whole package auto-sanitizes the content as you've stated before. Now, okay, it's usable for that use case. It's not perfect with all the artifacts one needs to put into the HTML code, but if necessary I can work with that. ^^ @Marvin Renich: Thank you for this information. I'm new to Golang and I probably misunderstood one comment here for "the (whole) template package does automatic escaping), so I didn't look further - my mistake. So it would be possible to implement everything via the template package - yet there's the disadvantage of the need to put artifacts into the markup which then get replaced by the wanted content (I have to look into it further - if there's an error if there is no data for some template code it's perfectly fine... otherwise it will look like some websites where the artifacts are visible to the user if they didn't get replaced). -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
