Clarification Request: Why are template layout no longer being cloned?

[preslavrachev]

Hi,

I was trying to adapt the template loading and embedding logic for my Echo-based project when I noticed this part here:

template/html/html.go

Line 211 in 2fde445

lay := e.Templates.Lookup(layout[0])

I expected to see lay.Clone() being called here, because the current solution attaches the embed func globally. This could be a potential security threat, if someone ends up rendering main.html by mistake.

Checking the history, I saw that there was a version that cloned the template, but it was replaced, because a cloned template cannot be executed multiple times. But if you are always only executing the copy, why would the original template get executed in the first place?

I would love to hear your thoughts.

[preslavrachev]

The real reason of what was causing gofiber/fiber#818 is that Engine uses a *template.Template instance to store and lookup all templates. If you replace that single instance with a map[string]*template.Template and use the map for lookup, you won't have this issue anymore, and you should be able to bring template cloning back.