Document safe.JSStr function

2025-09-19 14:34:49 -04:00 · 2023-09-28 13:48:50 -07:00 · 2023-09-28 13:48:50 -07:00 · 7551ba28f7
commit 7551ba28f7
parent e77993be08
6 changed files with 64 additions and 0 deletions
--- a/content/en/functions/safeCSS.md
+++ b/content/en/functions/safeCSS.md
@ -12,6 +12,7 @@ relatedFuncs:
  - safe.HTML
  - safe.HTMLAttr
  - safe.JS
+  - safe.JSStr
  - safe.URL
 signature:
  - safe.CSS INPUT
--- a/content/en/functions/safeHTML.md
+++ b/content/en/functions/safeHTML.md
@ -12,6 +12,7 @@ relatedFuncs:
  - safe.HTML
  - safe.HTMLAttr
  - safe.JS
+  - safe.JSStr
  - safe.URL
 signature:
  - safe.HTML INPUT
--- a/content/en/functions/safeHTMLAttr.md
+++ b/content/en/functions/safeHTMLAttr.md
@ -12,6 +12,7 @@ relatedFuncs:
  - safe.HTML
  - safe.HTMLAttr
  - safe.JS
+  - safe.JSStr
  - safe.URL
 signature:
  - safe.HTMLAttr INPUT
--- a/content/en/functions/safeJS.md
+++ b/content/en/functions/safeJS.md
@ -12,6 +12,7 @@ relatedFuncs:
  - safe.HTML
  - safe.HTMLAttr
  - safe.JS
+  - safe.JSStr
  - safe.URL
 signature:
  - safe.JS INPUT
--- a/content/en/functions/safeJSStr.md
+++ b/content/en/functions/safeJSStr.md
@ -0,0 +1,59 @@
+---
+title: safeJSStr
+description: Declares the provided string as a known safe JavaScript string.
+categories: [functions]
+menu:
+  docs:
+    parent: functions
+keywords: []
+namespace: safe
+relatedFuncs:
+  - safe.CSS
+  - safe.HTML
+  - safe.HTMLAttr
+  - safe.JS
+  - safe.JSStr
+  - safe.URL
+signature:
+  - safe.JSStr INPUT
+  - safeJSStr INPUT
+---
+
+Encapsulates a sequence of characters meant to be embedded between quotes in a JavaScript expression. Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
+  
+Without declaring a variable to be a safe JavaScript string:
+
+```go-html-template
+{{ $title := "Lilo & Stitch" }}
+<script>
+  const a = "Title: " + {{ $title }};
+</script>
+```
+
+Rendered:
+
+
+```html
+<script>
+  const a = "Title: " + "Lilo \u0026 Stitch";
+</script>
+```
+
+To avoid escaping by Go's [html/template] package:
+
+```go-html-template
+{{ $title := "Lilo & Stitch" }}
+<script>
+  const a = "Title: " + {{ $title | safeJSStr }};
+</script>
+```
+
+Rendered:
+
+```html
+<script>
+  const a = "Title: " + "Lilo & Stitch";
+</script>
+```
+
+[html/template]: https://pkg.go.dev/html/template
--- a/content/en/functions/safeURL.md
+++ b/content/en/functions/safeURL.md
@ -13,6 +13,7 @@ relatedFuncs:
  - safe.HTML
  - safe.HTMLAttr
  - safe.JS
+  - safe.JSStr
  - safe.URL
 signature:
  - safe.URL INPUT