From f31a22d5f8745d08a8d13717ae4e6a7040ab20ae Mon Sep 17 00:00:00 2001 From: Ian Gulliver Date: Sat, 14 Feb 2026 21:51:49 -0800 Subject: [PATCH] Use text/template for JS files to avoid html/template escaping --- main.go | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/main.go b/main.go index f91fbe4..3f44bd3 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "encoding/json" "fmt" "html/template" + texttemplate "text/template" "log" "net/http" "os" @@ -23,7 +24,10 @@ import ( //go:embed schema.sql var schema string -var templates *template.Template +var ( + htmlTemplates *template.Template + jsTemplates *texttemplate.Template +) func main() { for _, key := range []string{"PGCONN", "CLIENT_ID", "CLIENT_SECRET"} { @@ -47,8 +51,8 @@ func main() { log.Fatalf("failed to apply schema: %v", err) } - templates = template.Must(template.New("").ParseGlob("static/*.html")) - template.Must(templates.ParseGlob("static/*.js")) + htmlTemplates = template.Must(template.New("").ParseGlob("static/*.html")) + jsTemplates = texttemplate.Must(texttemplate.New("").ParseGlob("static/*.js")) http.HandleFunc("/", handleStatic) http.HandleFunc("POST /auth/google/callback", handleGoogleCallback) @@ -90,17 +94,24 @@ func handleStatic(w http.ResponseWriter, r *http.Request) { name := strings.TrimPrefix(path, "/") - if strings.HasSuffix(name, ".html") || strings.HasSuffix(name, ".js") { - t := templates.Lookup(name) + if strings.HasSuffix(name, ".html") { + t := htmlTemplates.Lookup(name) if t == nil { http.NotFound(w, r) return } - if strings.HasSuffix(name, ".html") { - w.Header().Set("Content-Type", "text/html") - } else { - w.Header().Set("Content-Type", "application/javascript") + w.Header().Set("Content-Type", "text/html") + t.Execute(w, templateData()) + return + } + + if strings.HasSuffix(name, ".js") { + t := jsTemplates.Lookup(name) + if t == nil { + http.NotFound(w, r) + return } + w.Header().Set("Content-Type", "application/javascript") t.Execute(w, templateData()) return }