Replace manual string-replace escaping with stdlib html.EscapeString.
Escape tag names and attribute keys in elNode and Layout rendering.
Improve Attr() to traverse wrapper nodes (If, Unless, Entitled).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Escape variant name in Responsive.Render HTML attribute (XSS fix)
- Rewrite StripTags to single-pass O(n) space collapsing
- Document Raw() security contract in WASM entry point
- Add TestAttr_NonElement coverage
- Fix Makefile WASM target to rebuild on source changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements If, Unless, Entitled, Switch, and Each (generic) control flow
nodes. Entitled uses deny-by-default when no entitlement function is set,
rendering absent content rather than hidden content. Each uses Go generics
for type-safe iteration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces textNode that renders through go-i18n's T() function with
automatic HTML escaping for safe-by-default output. Adds escapeHTML
utility, NewContextWithService for explicit service binding, and
Entitlements field on Context for upcoming conditional rendering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces the go-html module with a Node rendering interface, Raw and El
constructors, void element handling, and attribute escaping. Includes a
minimal Context stub and tests for all node types.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
