safehtml
provides immutable string-like types that wrap web types such as
HTML, JavaScript and CSS. These wrappers are safe by construction against XSS
and similar web vulnerabilities, and they can only be interpolated in safe ways.
You can read more about our approach to web security in our
whitepaper,
or this OWASP talk.
Additional subpackages provide APIs for managing exceptions to the
safety rules, and a template engine with a syntax and interface that closely
matches html/template
. You can refer
to the godoc
for each (sub)package for the API documentation and code examples.
More end-to-end demos are available in example_test.go
.
This is not an officially supported Google product.