Refactor Safe modifier (#29392)

After this PR: no need to play with the Safe/Escape tricks anymore. See the changes for more details.
2025-07-22 18:28:37 +00:00 · 2024-02-25 18:45:56 +08:00
parent 2e33671f2c
commit f9207b0947
26 changed files with 89 additions and 65 deletions
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -9,6 +9,7 @@ import (
 	"html"
 	"html/template"
 	"net/url"
+	"slices"
 	"strings"
 	"time"

@@ -34,7 +35,8 @@ func NewFuncMap() template.FuncMap {
 		// html/template related functions
 		"dict":        dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
 		"Eval":        Eval,
-		"Safe":        Safe,
+		"SafeHTML":    SafeHTML,
+		"HTMLFormat":  HTMLFormat,
 		"Escape":      Escape,
 		"QueryEscape": url.QueryEscape,
 		"JSEscape":    JSEscapeSafe,
@@ -177,8 +179,25 @@ func NewFuncMap() template.FuncMap {
 	}
 }

-// Safe render raw as HTML
-func Safe(s any) template.HTML {
+func HTMLFormat(s string, rawArgs ...any) template.HTML {
+	args := slices.Clone(rawArgs)
+	for i, v := range args {
+		switch v := v.(type) {
+		case nil, bool, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, float32, float64, template.HTML:
+			// for most basic types (including template.HTML which is safe), just do nothing and use it
+		case string:
+			args[i] = template.HTMLEscapeString(v)
+		case fmt.Stringer:
+			args[i] = template.HTMLEscapeString(v.String())
+		default:
+			args[i] = template.HTMLEscapeString(fmt.Sprint(v))
+		}
+	}
+	return template.HTML(fmt.Sprintf(s, args...))
+}
+
+// SafeHTML render raw as HTML
+func SafeHTML(s any) template.HTML {
 	switch v := s.(type) {
 	case string:
 		return template.HTML(v)
--- a/modules/templates/helper_test.go
+++ b/modules/templates/helper_test.go
@@ -4,6 +4,7 @@
 package templates

 import (
+	"html/template"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -56,3 +57,7 @@ func TestSubjectBodySeparator(t *testing.T) {
 func TestJSEscapeSafe(t *testing.T) {
 	assert.EqualValues(t, `\u0026\u003C\u003E\'\"`, JSEscapeSafe(`&<>'"`))
 }
+
+func TestHTMLFormat(t *testing.T) {
+	assert.Equal(t, template.HTML("<a>&lt; < 1</a>"), HTMLFormat("<a>%s %s %d</a>", "<", template.HTML("<"), 1))
+}