richtext

README

togo-framework/richtext

Rich-text for togo — sanitize, render Markdown, store XSS-safe HTML.

Install

togo install togo-framework/richtext

The togo answer to Rails Action Text / Trix. Accept user rich text, sanitize it to a safe allowlist (no <script>, event handlers, or javascript: URLs), render Markdown → safe HTML, and derive plain-text excerpts for search/previews.

Usage

// From untrusted HTML (e.g. a WYSIWYG editor):
rt := richtext.New(userHTML)        // rt.HTML is sanitized + safe to render
// From Markdown:
rt = richtext.FromMarkdown("# Hi\n\n**bold** <script>alert(1)</script>")
rt.HTML        // "<h1>Hi</h1>\n<p><strong>bold</strong> </p>"  (script removed)
rt.PlainText() // "Hi bold"  — tags stripped, entities decoded
rt.Excerpt(120)// preview text, ellipsised on a word boundary

richtext.Sanitize(htmlStr)         // one-off clean
richtext.RenderMarkdown(md)        // md → sanitized html

RichText marshals as {"raw": "...", "html": "..."} and re-sanitizes on unmarshal — a stored html field is never trusted.

REST

POST /api/richtext/render with {"markdown":"..."} or {"html":"..."} → {"html": "<safe>", "text": "..."}.

Security

HTML is sanitized with bluemonday's UGC policy; Markdown is rendered with goldmark and then sanitized. Always store and re-render the sanitized HTML; never render raw user input.

---

Premium sponsors

ID8 Media  ·  One Studio

_{Support togo — become a sponsor.}

Documentation

Overview

Package richtext handles rich-text content for togo (Action Text / Trix style): sanitize untrusted HTML to an XSS-safe allowlist, render Markdown to safe HTML, and derive plain-text excerpts for search/previews.

rt := richtext.FromMarkdown("# Hi\n\n<script>alert(1)</script> **bold**")
rt.HTML        // sanitized: "<h1>Hi</h1>\n<p> <strong>bold</strong></p>"
rt.PlainText() // "Hi  bold"

Index

• func RenderMarkdown(md string) (string, error)
• func Sanitize(unsafeHTML string) string
• func StripTags(htmlStr string) string
• type RichText
  • func FromMarkdown(md string) RichText
  • func New(rawHTML string) RichText
  • func (r RichText) Excerpt(n int) string
  • func (r RichText) IsEmpty() bool
  • func (r RichText) MarshalJSON() ([]byte, error)
  • func (r RichText) PlainText() string
  • func (r *RichText) UnmarshalJSON(b []byte) error
• type Service
  • func FromKernel(k *togo.Kernel) (*Service, bool)

Functions

func RenderMarkdown

func RenderMarkdown(md string) (string, error)

RenderMarkdown converts Markdown to sanitized HTML.

func Sanitize

func Sanitize(unsafeHTML string) string

Sanitize cleans untrusted HTML to the safe allowlist.

func StripTags

func StripTags(htmlStr string) string

StripTags returns the plain text of an HTML fragment (tags removed, entities decoded, whitespace collapsed).

Types

type RichText

type RichText struct {
	Raw  string `json:"raw"`
	HTML string `json:"html"`
}

RichText is a stored rich-text value: the raw input plus the sanitized HTML that is safe to render.

func FromMarkdown

func FromMarkdown(md string) RichText

FromMarkdown builds RichText from Markdown source.

func New

func New(rawHTML string) RichText

New builds RichText from (untrusted) HTML, storing the sanitized result.

func (RichText) Excerpt

func (r RichText) Excerpt(n int) string

Excerpt returns the first n characters of the plain text, with an ellipsis when truncated (cuts on a word boundary where possible).

func (RichText) IsEmpty

func (r RichText) IsEmpty() bool

IsEmpty reports whether there is no visible content.

func (RichText) MarshalJSON

func (r RichText) MarshalJSON() ([]byte, error)

MarshalJSON / UnmarshalJSON keep raw + (re-sanitized) html in sync.

func (RichText) PlainText

func (r RichText) PlainText() string

PlainText returns the rendered HTML stripped to plain text.

func (*RichText) UnmarshalJSON

func (r *RichText) UnmarshalJSON(b []byte) error

type Service

type Service struct{}

Service is the (stateless) richtext service stored on the kernel.

func FromKernel

func FromKernel(k *togo.Kernel) (*Service, bool)

FromKernel returns the richtext Service.