How to Auto-Escape HTML in Go Templates

Go templates automatically escape HTML by default when using the {{.Variable}} syntax, converting special characters like < and > into safe entities. This prevents Cross-Site Scripting (XSS) attacks without requiring manual intervention.

tmpl := template.Must(template.New("page").Parse(`
<!DOCTYPE html>
<html>
<body>
<h1>{{.Title}}</h1>
<p>{{.Content}}</p>
</body>
</html>`))

data := map[string]string{
    "Title":   "Hello",
    "Content": "<script>alert('XSS')</script>",
}

tmpl.Execute(os.Stdout, data)

If you explicitly need to render raw HTML, use the {{.Variable | html}} action, but only if the content is trusted.

Go templates act like a safety filter that automatically converts dangerous code characters into harmless text before displaying them on a webpage. This stops hackers from injecting malicious scripts into your site. You only need to turn this safety off if you are 100% sure the content is safe.