Sync docs for release https://github.com/gofiber/template/releases/ta…

…g/handlebars/v2.1.8
gofiber · Feb 19, 2024 · c6f08aa · c6f08aa
1 parent fc1b4df
commit c6f08aa
Showing 1 changed file with 44 additions and 4 deletions.
diff --git a/template_versioned_docs/version-handlebars_v2.x.x/django/README.md b/template_versioned_docs/version-handlebars_v2.x.x/django/README.md
@@ -59,9 +59,9 @@ func main() {
 	// Create a new engine
 	engine := django.New("./views", ".django")
 
-  // Or from an embedded system
-  // See github.com/gofiber/embed for examples
-  // engine := html.NewFileSystem(http.Dir("./views", ".django"))
+	// Or from an embedded system
+	// See github.com/gofiber/embed for examples
+	// engine := html.NewFileSystem(http.Dir("./views", ".django"))
 
 	// Pass the engine to the Views
 	app := fiber.New(fiber.Config{
@@ -194,4 +194,44 @@ If you need to access a value in the template that doesn't adhere to the key nam
 c.Render("index", fiber.Map{
     "Fiber": "Hello, World!\n\nGreetings from Fiber Team",
     "MyKey": c.Locals("my-key"),
-})
+})
+
+### AutoEscape is enabled by default
+
+When you create a new instance of the `Engine`, the auto-escape is **enabled by default**. This setting automatically escapes output, providing a critical security measure against Cross-Site Scripting (XSS) attacks.
+
+### Disabling Auto-Escape
+
+Auto-escaping can be disabled if necessary, using the `SetAutoEscape` method:
+
+```go
+engine := django.New("./views", ".django")
+engine.SetAutoEscape(false)
+```
+
+### Setting AutoEscape using Django built-in template tags
+
+- Explicitly turning off autoescaping for a section:
+```django  
+  {% autoescape off %}
+  {{ "<script>alert('Hello World');</script>" }}
+  {% endautoescape %}
+```
+
+- Turning autoescaping back on for a section:
+```django
+  {% autoescape on %}
+  {{ "<script>alert('Hello World');</script>" }}
+  {% endautoescape %}
+```
+- It can also be done on a per variable basis using the *safe* built-in:
+```django
+<h1>{{ someSafeVar | safe }}</h1>
+{{ "<script>" | safe }}
+```
+
+### Security Implications of Disabling Auto-Escape
+
+Disabling auto-escape should be approached with caution. It can expose your application to XSS attacks, where malicious scripts are injected into web pages. Without auto-escaping, there is a risk of rendering harmful HTML or JavaScript from user-supplied data.
+
+It is advisable to keep auto-escape enabled unless there is a strong reason to disable it. If you do disable it, ensure all user-supplied content is thoroughly sanitized and validated to avoid XSS vulnerabilities.