Merge commit 'e509cac533600cf4fa8382c9cdab78ddd82db688'

2025-08-20 21:31:32 +02:00 · 2023-10-20 09:43:56 +02:00
parent fd38171810 e509cac533
commit e2dd4cd05f
298 changed files with 4568 additions and 1991 deletions
--- a/docs/content/en/functions/safe/JSStr.md
+++ b/docs/content/en/functions/safe/JSStr.md
@@ -0,0 +1,61 @@
+---
+title: safe.JSStr
+linkTitle: safeJSStr
+description: Declares the provided string as a known safe JavaScript string.
+categories: [functions]
+keywords: []
+menu:
+  docs:
+    parent: functions
+function:
+  aliases: [safeJSStr]
+  returnType: template.JSStr
+  signatures: [safe.JSStr INPUT]
+relatedFunctions:
+  - safe.CSS
+  - safe.HTML
+  - safe.HTMLAttr
+  - safe.JS
+  - safe.JSStr
+  - safe.URL
+aliases: [/functions/safejsstr]
+---
+
+Encapsulates a sequence of characters meant to be embedded between quotes in a JavaScript expression. Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
+  
+Without declaring a variable to be a safe JavaScript string:
+
+```go-html-template
+{{ $title := "Lilo & Stitch" }}
+<script>
+  const a = "Title: " + {{ $title }};
+</script>
+```
+
+Rendered:
+
+
+```html
+<script>
+  const a = "Title: " + "Lilo \u0026 Stitch";
+</script>
+```
+
+To avoid escaping by Go's [html/template] package:
+
+```go-html-template
+{{ $title := "Lilo & Stitch" }}
+<script>
+  const a = "Title: " + {{ $title | safeJSStr }};
+</script>
+```
+
+Rendered:
+
+```html
+<script>
+  const a = "Title: " + "Lilo & Stitch";
+</script>
+```
+
+[html/template]: https://pkg.go.dev/html/template