html/template: should escape JSON without using \x

[earthboundkid]

What version of Go are you using (go version)?

go version go1.12.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What did you do?

Ran this snippet

package main

import (
	"html/template"
	"log"
	"os"
)

func main() {
	const tpl = `<!DOCTYPE html>
<html>
	<head>
		<meta charset="UTF-8">
		<title>{{ .Title }}</title>
	</head>
	<body>
		<script type="application/ld+json">
		{
			"@context": "http://schema.org",
			"@type": "WebPage",
			"name":"{{ .Title }}",
			"description": "{{ .Description }}"
		}
		</script>
	</body>
</html>`

	check := func(err error) {
		if err != nil {
			log.Fatal(err)
		}
	}
	t, err := template.New("webpage").Parse(tpl)
	check(err)

	data := struct {
		Title, Description string
	}{
		Title:       "<My \"Cool\" Page>",
		Description: "A \"Cool\" Page by 'Me'",
	}

	err = t.Execute(os.Stdout, data)
	check(err)
}

What did you expect to see?

An HTML document containing valid JSON.

What did you see instead?

Invalid JSON, as reported by https://search.google.com/structured-data/testing-tool/

---

Go escapes what is between the <script> tags as though it were JavaScript because of #26053. That's mostly correct, except that there are subtle difference between valid JavaScript and valid JSON. Specifically, https://search.google.com/structured-data/testing-tool/ reports that \x3c style escaping is not correct for LD JSON. It needs to be \u003c instead.

[earthboundkid]

FWIW, http://json.org agrees that \u escapes are valid JSON and \x escapes are not.

ISTM, the simple solution is to tell the JavaScript escaper to always use \u. JS and JSON have other differences around whitespace handing, but it's easy enough to make them compatible.

[agnivade]

@mikesamuel @empijei

[empijei]

I investigated this a bit and I confirm it is an issue.

( Some context for future reference: https://json-ld.org/ )

@carlmjohnson would you like to work on a CL for this?
@bcmills this doesn't need further investigation

[Harumaro]

We are having this exact same problem as of today, is there a deadline or a workaround for this? It's really impacting our SEO.

[earthboundkid]

I started working on a fix, but honestly, I'm in over my head because I don't know what is valid or invalid in JS and I don't understand what all the test cases are testing for.

In terms of a workaround, if you're using Hugo, you can do {{ $x | jsonify | safeJS }}. Other Go templating systems should have similar ways of converting to JSON and marking as safe.

[Harumaro]

Thanks, if anybody needs a workaround for gin gonic, it's in Chinese, but Google translate is helpful.
https://codus.me/blog/golang-template-json-ld-error-encoding

[empijei]

@Harumaro there is no deadline that I am aware of but if you are willing to work on a fix I can do the review and approval to expedite this.