Copyright (c) 2017 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file or at https://developers.google.com/open-source/licenses/bsd

package template

import (
	
	
	
	

	
)
A TrustedSource is an immutable string-like type referencing trusted template files under application control. It can be passed to template-parsing functions and methods to safely load templates without the risk of untrusted template execution. In order to ensure that an attacker cannot influence the TrustedSource value, a TrustedSource can be instantiated only from untyped string constants, command-line flags, and other application-controlled strings, but never from arbitrary string values potentially representing untrusted user input. Note that TrustedSource's constructors cannot truly guarantee that the templates it references are not attacker-controlled; it can guarantee only that the path to the template itself is under application control. Users of these constructors must ensure themselves that TrustedSource never references attacker-controlled files or directories that contain such files.
We declare a TrustedSource not as a string but as a struct wrapping a string to prevent construction of TrustedSource values through string conversion.
	src string
}
TrustedSourceFromConstant constructs a TrustedSource with its underlying src set to the given src, which must be an untyped string constant. No runtime validation or sanitization is performed on src; being under application control, it is simply assumed to comply with the TrustedSource type contract.
func ( stringConstant) TrustedSource {
	return TrustedSource{string()}
}
TrustedSourceFromConstantDir constructs a TrustedSource calling path/filepath.Join on an application-controlled directory path, which must be an untyped string constant, a TrustedSource, and a dynamic filename. It returns an error if filename contains filepath or list separators, since this might cause the resulting path to reference a file outside of the given directory. dir or src may be empty if either of these path segments are not required.
func ( stringConstant,  TrustedSource,  string) (TrustedSource, error) {
	if  := strings.IndexAny(, string([]rune{filepath.Separator, filepath.ListSeparator}));  != -1 {
		return TrustedSource{}, fmt.Errorf("filename %q must not contain the separator %q", , [])
	}
	if  == ".." {
		return TrustedSource{}, fmt.Errorf("filename must not be the special name %q", )
	}
	return TrustedSource{filepath.Join(string(), .String(), )}, nil
}
TrustedSourceJoin is a wrapper around path/filepath.Join that returns a TrustedSource formed by joining the given path elements into a single path, adding an OS-specific path separator if necessary.
func ( ...TrustedSource) TrustedSource {
	return TrustedSource{filepath.Join(trustedSourcesToStrings()...)}
}
TrustedSourceFromFlag returns a TrustedSource containing the string representation of the retrieved value of the flag. In a server setting, flags are part of the application's deployment configuration and are hence considered application-controlled.
func ( flag.Value) TrustedSource {
	return TrustedSource{fmt.Sprint(.String())}
}
TrustedSourceFromEnvVar is a wrapper around os.Getenv that returns a TrustedSource containing the value of the environment variable named by the key. It returns the value, which will be empty if the variable is not present. To distinguish between an empty value and an unset value, use os.LookupEnv. In a server setting, environment variables are part of the application's deployment configuration and are hence considered application-controlled.
func ( stringConstant) TrustedSource {
	return TrustedSource{os.Getenv(string())}
}
String returns the string form of the TrustedSource.
func ( TrustedSource) () string {
	return .src
}

func ( []TrustedSource) []string {
	 := make([]string, 0, len())
	for ,  := range  {
		 = append(, .String())
	}
	return