From 0ec709f180c8c2453694d79d1761e279ea77f675 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 8 May 2024 09:17:05 -0700 Subject: [PATCH] html: update jstmpllitinterp doc We no longer do anything with this GODEBUG. Fixes #66217 Change-Id: I998797b6a573013f5b9c8ded835acae572327d18 Reviewed-on: https://go-review.googlesource.com/c/go/+/584117 Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Auto-Submit: Roland Shoemaker --- doc/godebug.md | 4 ++++ src/html/template/doc.go | 10 ++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/godebug.md b/doc/godebug.md index b5bee3a613..b3a00a0c2b 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -193,6 +193,10 @@ Go 1.23 changed the behavior of serial numbers that are longer than 20 octets. This change can be reverted with the the [`x509seriallength` setting](/pkg/crypto/x509/#ParseCertificate). +Go 1.23 re-enabled support in html/template for ECMAScript 6 template literals by default. +The [`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model) no longer has +any effect. + ### Go 1.22 Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size diff --git a/src/html/template/doc.go b/src/html/template/doc.go index 672d42ba32..b7be04cbd0 100644 --- a/src/html/template/doc.go +++ b/src/html/template/doc.go @@ -232,11 +232,9 @@ Least Surprise Property: knows that contextual autoescaping happens should be able to look at a {{.}} and correctly infer what sanitization happens." -As a consequence of the Least Surprise Property, template actions within an -ECMAScript 6 template literal are disabled by default. -Handling string interpolation within these literals is rather complex resulting -in no clear safe way to support it. -To re-enable template actions within ECMAScript 6 template literals, use the -GODEBUG=jstmpllitinterp=1 environment variable. +Previously, ECMAScript 6 template literal were disabled by default, and could be +enabled with the GODEBUG=jstmpllitinterp=1 environment variable. Template +literals are now supported by default, and setting jstmpllitinterp has no +effect. */ package template -- 2.48.1