html/template

The text/template package produces any kind of text output: config files, emails, code, plain HTML you write yourself. The moment user-supplied data lands in an HTML page, though, text/template becomes a liability. A customer review that contains <script>steal()</script> will render as a working script tag, and the attacker has a stored cross-site scripting hole. The html/template package is the standard library's answer to that problem. It speaks the same syntax as text/template, but it watches where each value is going to land in the output and escapes it for that exact context.