html/template: document comment stripping

Fixes #28628 Change-Id: I8b68f55f25e62f747d7cc48a490fec7f426f53d1 Reviewed-on: https://go-review.googlesource.com/c/go/+/658115 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
author: Sean Liao <sean@liao.dev> 2025-03-15 00:14:14 +0000
committer: Sean Liao <sean@liao.dev> 2025-03-17 08:52:14 -0700
commit: 57c44fdefc818f90b98fa1d5c0cd0fccdc35edf8 (patch)
tree: 353008dc8fad0075464c1958628268f0a114e0df /src
parent: 7dd7d70c034a24ac98e52bd4e6dac3ce35c60271 (diff)
download: go-57c44fdefc818f90b98fa1d5c0cd0fccdc35edf8.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/src/html/template/doc.go b/src/html/template/doc.go
index 4d880738e6..38d58669de 100644
--- a/src/html/template/doc.go
+++ b/src/html/template/doc.go
@@ -28,6 +28,9 @@ HTML templates treat data values as plain text which should be encoded so they
 can be safely embedded in an HTML document. The escaping is contextual, so
 actions can appear within JavaScript, CSS, and URI contexts.
 
+Comments are stripped from output, except for those passed in via the
+[HTML], [CSS], and [JS] types for their respective contexts.
+
 The security model used by this package assumes that template authors are
 trusted, while Execute's data parameter is not. More details are
 provided below.
author	Sean Liao <sean@liao.dev>	2025-03-15 00:14:14 +0000
committer	Sean Liao <sean@liao.dev>	2025-03-17 08:52:14 -0700
commit	57c44fdefc818f90b98fa1d5c0cd0fccdc35edf8 (patch)
tree	353008dc8fad0075464c1958628268f0a114e0df /src
parent	7dd7d70c034a24ac98e52bd4e6dac3ce35c60271 (diff)
download	go-57c44fdefc818f90b98fa1d5c0cd0fccdc35edf8.tar.xz