Show go-nuts: Go based templating language that's 5-7x faster than text/template

[Shane Hansen]

Thought I'd throw this to the sharks and get some feedback.

Gosp is a strongly typed templating language that compiles down to optimized go code using the gospc tool, very similar to how several of the infamous X Server Pages technologies have worked. My goal is to bring the benefits of go (fast compilation times, great performance, a type system that helps rather than hinders) to templates, specifically on the web.

My initial benchmarks (flawed I'm sure) have shown a 5-7x performance boost over text/template.

https://github.com/shanemhansen/gosp

I modeled the type declarations after scala's templates: http://www.playframework.com/documentation/2.0/ScalaTemplates

Eventually I plan on building up some libraries around this for doing themes/asset pipelines, but the focus will be on good libraries and APIs, not custom extensions to the tag language like django.

A gosp file looks something like:

@(name string)

Ho <%=name %>, I heard you like go.

[luz...@gmail.com]

Does it do automatic contextual escaping to avoid XSS attacks like the standard library's html/template system does?

[Shane Hansen]

No plans for anything html-specific currently. My goal is to make the templates DWIS (do what I say) rather than DWIM. I'm also a bit nervous

of automatic string escaping regardless of the app.

Other framework's conventions for escaping haven't done great (PHP's magic quotes, rails escape_once). I'd prefer escaping happen

at one well defined point within the app and require thinking about the data you're about to spit out to the user.

I'd be more likely to prefer a solution like what's used for internationalization: https://docs.djangoproject.com/en/dev/topics/i18n/translation/

Wrap unsafe string output in a short helper function.

On Tue, Aug 27, 2013 at 12:53 AM, <luz...@gmail.com> wrote:

Does it do automatic contextual escaping to avoid XSS attacks like the standard library's html/template system does?

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Kyle Lemons]

Experience has dictated that contextual auto-escaping is pretty much the only way to ensure people do it right.  If you give them escape hatches, they can then proceed to shoot themselves in the foot, of course.

[Shane Hansen]

Call me an old curmudgeon, but my experience has dictated that you don't trust user input and you be careful

when outputting something you got from the user. PHP's magic quotes are the most infamous example of the pitfalls of automatic escaping applied too liberally.

to quote "The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous." -- Some random internet dude

It's possible I'm missing something here and that "contextual" escaping avoids these pitfalls. It seems to be that parsing the text your outputting as HTML is a an unnecessary responsibility to add to a text templating language.

If I become convinced, It's relatively straightforward to make <%=foo%> render as output.WriteEscaped(foo)

I prefer general purpose tools with a little less "magic".

[Andrew Gerrand]

On 28 August 2013 08:24, Shane Hansen <shanem...@gmail.com> wrote:

PHP's magic quotes are the most infamous example of the pitfalls of automatic escaping applied too liberally.

PHP is totally broken in myriad ways. It is best ignored.

The html/template package was designed by someone who understands security. It is very nicely done.

At Google we have embraced this method of auto-escaping and it has worked very well for us.

Andrew

[Kyle Lemons]

On Tue, Aug 27, 2013 at 3:24 PM, Shane Hansen <shanem...@gmail.com> wrote:

Call me an old curmudgeon, but my experience has dictated that you don't trust user input and you be careful

when outputting something you got from the user. PHP's magic quotes are the most infamous example of the pitfalls of automatic escaping applied too liberally.

to quote "The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous." -- Some random internet dude

It's possible I'm missing something here and that "contextual" escaping avoids these pitfalls. It seems to be that parsing the text your outputting as HTML is a an unnecessary responsibility to add to a text templating language.

The "contextual" bit is the key.  The template is parsed, and the context in which each insertion is made is determined, and thus the correct form of escaping is known.  There are something like 15 supported contexts, ranging from HTML to text to javascript.  It doesn't make guesses; if it can't do the right thing, the template will fail to parse.

[linux...@gmail.com]

Just to let you guys know: I am working on a real HTML template system for Go. It uses the same idea to translate the template to Go language, but far more complex than gosp.

On my i5 quad core (2750k), it renders ~150k pages per second.

It's 85% done. I am going to release it in one month also, after the last two must-have big features are implemented.

[Shane Hansen]

"PHP is totally broken in myriad ways. It is best ignored." Those who ignore the past are doomed to repeat it.

Well, gosp is out there, it's fast, and it will let you shoot yourself in the foot if that's where you point the gun. I could always be wrong. Shrug.

I should read more of the html template source. Figuring out whether the fragment you are rendering is html4,html5, XHTML, an attribute, style, or script sounds pretty daunting. Props to whoever figured out all the edge cases there.

[Andrew Gerrand]

On 28 August 2013 10:08, Shane Hansen <shanem...@gmail.com> wrote:

"PHP is totally broken in myriad ways. It is best ignored." Those who ignore the past are doomed to repeat it.

That's true. I should have phrased it better. What I meant: pointing to PHP's totally broken "magic quotes" feature is not useful a criticism of automatic escaping. It can be done well.

 

Well, gosp is out there, it's fast, and it will let you shoot yourself in the foot if that's where you point the gun. I could always be wrong. Shrug.

You're not "wrong" as it's not a goal of your library. It might be worth considering adding such a feature, though.

 

I should read more of the html template source. Figuring out whether the fragment you are rendering is html4,html5, XHTML, an attribute, style, or script sounds pretty daunting. Props to whoever figured out all the edge cases there.

It is indeed impressive work! :-)

Andrew

[Shane Hansen]

Thanks everybody for the suggestions. The feedback on this list is invaluable.

[Nigel Tao]

On Wed, Aug 28, 2013 at 10:08 AM, Shane Hansen <shanem...@gmail.com> wrote:
> I should read more of the html template source. Figuring out whether the
> fragment you are rendering is html4,html5, XHTML, an attribute, style, or
> script sounds pretty daunting. Props to whoever figured out all the edge
> cases there.

Mike Samuel wrote html/template. He also wrote
http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition