Can safehtml support custom attributes like one that HTMX requires?

[mikeschinkel]

I started a personal web project and decided to use this package rather than the default html/template as it seems like a responsible thing to do, but I am running into an error that I cannot get around without forking the package:

html/template:my.template.html: cannot escape action {{.Url}}: actions 
must not occur in the "hx-get" attribute value context of a "li" element

From reading the code is seems that you have hardcoded all potential element-attribute combinations into elementSpecificAttrValSanitizationContext and globalAttrValSanitizationContext/elementContentSanitizationContext and thus the hx-get attribute is disallowed, right?

Is there any reason why it would be unsafe to add a method that allows adding attributes to be considered valid, assuming they are adding using string literals passed to the method that would add them?

If not, seems like a really easy enhancement I could add and create a PR for? Would that be something you would consider allowing?

[crhntr]

HTMX supports a data- prefixed attributes. Using these prefixes gets around the issue but it unfortunately also sidesteps autosanitization.

See https://go.dev/play/p/vaIXoHcrdRx

package main

import (
	"os"

	"github.com/google/safehtml/template"
)

func main() {
	t := template.Must(template.New("example").Parse(`<div data-hx-get="{{.URL}}"></div>`))

	err := t.Execute(os.Stdout, struct {
		URL string
	}{
		URL: "http://example.com",
	})
	if err != nil {
		panic(err)
	}
}

<div data-hx-get="http://example.com"></div>

I've written a few larger htmx apps and I suspect the next place you'd face a similar issue is with hx-on:* attributes.

• Here is an example showing that related error: https://go.dev/play/p/hRKNSVlpwzz.
• Here is a fix: https://go.dev/play/p/1gdXorQ9yBJ (worked with htmx.org@2.0.3)