Raw HTML
By default, any Go value interpolated with { expr } is HTML-escaped before it reaches the output. This keeps the template safe against injection: a string like <img src=x onerror=alert(1)> becomes <img src=x onerror=alert(1)> in the rendered page.
gsx.Raw(s) is the deliberate opt-out. It wraps a string in a gsx.Node that writes the bytes verbatim — no entity encoding, no escaping of any kind.
Rendering trusted HTML
Use { gsx.Raw(html) } when the string is already safe HTML that must be rendered as markup, not as escaped text. A typical source is a Markdown converter or a CMS that runs its own sanitization pass before handing you the HTML.
package views
import "github.com/gsxhq/gsx"
// ArticleBody renders pre-sanitized HTML from a CMS or Markdown converter.
// { gsx.Raw(html) } emits the string verbatim — no entity encoding.
component ArticleBody(html string) {
<article>{ gsx.Raw(html) }</article>
}Renders:
<article><em>Hello</em> & <strong>World</strong></article>{ gsx.Raw(html) } emits the string as-is inside the <article> element. The <em> and <strong> tags appear as real elements in the rendered output, not as their escaped counterparts <em>.
Security
gsx.Raw is the escape-by-construction opt-out, analogous to templ.Raw. The string bypasses all of gsx's safety machinery. Only call it on strings you control or have already validated and sanitized:
- Pre-rendered Markdown from a library that sanitizes its output
- HTML from a trusted CMS field with a fixed allow-list
- Static strings written directly in your own code
Never pass unvalidated user input to gsx.Raw. A hostile string like <script>stealCookies()</script> would be written verbatim into the page.
If the trusted value is a URL rather than HTML, use gsx.RawURL. For trusted JavaScript, use gsx.RawJS. For trusted CSS, use gsx.RawCSS. See Escaping for the full context-aware escaping reference.