diff --git a/src/pkg/html/template/doc.go b/src/pkg/html/template/doc.go index fc0e3826442c05b0809ed9ba2e4d84494d981a1d..77a9bf2e225b8a0aefdd691bd53d1b81b3da2a5b 100644 --- a/src/pkg/html/template/doc.go +++ b/src/pkg/html/template/doc.go @@ -31,8 +31,8 @@ Example import "text/template" ... - t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) - err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>") + t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) + err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>") produces @@ -42,12 +42,12 @@ but with contextual autoescaping, import "html/template" ... - t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) - err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>") + t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) + err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>") produces safe, escaped HTML output - Hello, <script>alert('you have been pwned')</script>! + Hello, <script>alert('you have been pwned')</script>! Contexts @@ -57,8 +57,8 @@ functions to each simple action pipeline, so given the excerpt <a href="/search?q={{.}}">{{.}}</a> -At parse time each {{.}} is overwritten to add escaping functions as necessary, -in this case, +At parse time each {{.}} is overwritten to add escaping functions as necessary. +In this case it becomes <a href="/search?q={{. | urlquery}}">{{. | html}}</a>