Security: templates are vulnerable to XSS

[empijei]

Escaping is intentionally not contextual. As the security section states the only supported automatic escaping is HTML-based (link). This means that any use of this template that interpolates user-controlled data in a different context is vulnerable to XSS.

Here is one example:

<img onclick="{{interpolating action}}">

If the interpolating action outputs something like "javascript:alert(1)" the code will be executed.

Please add a section to the security paragraph of the README documenting that quicktemplate is not secure to use. As far as in understand this package only supports manual escaping, and only for specific kinds of escaping, and this leads to vulnerable templates.

As an alternative, implement contextual autoescaping. As a reference for autoescaping and documentation on how it works you can take a look at the standard library security model: https://pkg.go.dev/html/template#hdr-Security_Model. Disclaimer: this is not easy to do and I think it is beyond the scope of this package.

Please let me know if you need any assistance or explanation about the threats and potential dangers of using this library as it is today, I'd be happy to help :)