-<h1>Editing {{.Title |html}}</h1>
+<h1>Editing {{.Title}}</h1>
-<form action="/save/{{.Title |html}}" method="POST">
-<div><textarea name="body" rows="20" cols="80">{{printf "%s" .Body |html}}</textarea></div>
+<form action="/save/{{.Title}}" method="POST">
+<div><textarea name="body" rows="20" cols="80">{{printf "%s" .Body}}</textarea></div>
<div><input type="submit" value="Save"></div>
</form>
<pre>
import (
+ <b>"html/template"</b>
"http"
"io/ioutil"
"os"
- <b>"html/template"</b>
)
</pre>
The <code>printf "%s" .Body</code> instruction is a function call
that outputs <code>.Body</code> as a string instead of a stream of bytes,
the same as a call to <code>fmt.Printf</code>.
-The <code>|html</code> part of each directive pipes the value through the
-<code>html</code> formatter before outputting it, which escapes HTML
-characters (such as replacing <code>></code> with <code>&gt;</code>),
-preventing user data from corrupting the form HTML.
+The <code>html/template</code> package helps guarantee that only safe and
+correct-looking HTML is generated by template actions. For instance, it
+automatically escapes any greater than sign (<code>></code>), replacing it
+with <code>&gt;</code>, to make sure user data does not corrupt the form
+HTML.
</p>
<p>
-<h1>{{.Title |html}}</h1>
+<h1>{{.Title}}</h1>
-<p>[<a href="/edit/{{.Title |html}}">edit</a>]</p>
+<p>[<a href="/edit/{{.Title}}">edit</a>]</p>
-<div>{{printf "%s" .Body |html}}</div>
+<div>{{printf "%s" .Body}}</div>