sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

BUG: Template execution errors result in corrupt HTML responses #42

New Issue
Closed
opened 2026-02-16 06:56:36 +01:00 by clawbot · 1 comment
clawbot commented 2026-02-16 06:56:36 +01:00
Collaborator
Copy Link

Severity: MEDIUM

Files: Multiple handlers (setup.go, app.go, auth.go, dashboard.go)

Description

In all handlers, the pattern is:

err := tmpl.ExecuteTemplate(writer, "page.html", data)
if err != nil {
    h.log.Error("template execution failed", "error", err)
    http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
}

The problem: ExecuteTemplate writes directly to the http.ResponseWriter. If the template partially renders before hitting an error, the HTTP 200 status and partial HTML have already been sent. The subsequent http.Error() call:

  1. Cannot change the already-sent 200 status code
  2. Appends "Internal Server Error" text to the partial HTML
  3. Results in a corrupt, half-rendered page

Suggested Fix

Render templates to a buffer first, then write to the response only on success:

var buf bytes.Buffer
err := tmpl.ExecuteTemplate(&buf, "page.html", data)
if err != nil {
    h.log.Error("template execution failed", "error", err)
    http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
    return
}
buf.WriteTo(writer)

This is a common Go web pattern. Consider creating a helper method on Handlers.

## Severity: MEDIUM ## Files: Multiple handlers (setup.go, app.go, auth.go, dashboard.go) ## Description In all handlers, the pattern is: ```go err := tmpl.ExecuteTemplate(writer, "page.html", data) if err != nil { h.log.Error("template execution failed", "error", err) http.Error(writer, "Internal Server Error", http.StatusInternalServerError) } ``` The problem: `ExecuteTemplate` writes directly to the `http.ResponseWriter`. If the template partially renders before hitting an error, the HTTP 200 status and partial HTML have already been sent. The subsequent `http.Error()` call: 1. Cannot change the already-sent 200 status code 2. Appends "Internal Server Error" text to the partial HTML 3. Results in a corrupt, half-rendered page ## Suggested Fix Render templates to a buffer first, then write to the response only on success: ```go var buf bytes.Buffer err := tmpl.ExecuteTemplate(&buf, "page.html", data) if err != nil { h.log.Error("template execution failed", "error", err) http.Error(writer, "Internal Server Error", http.StatusInternalServerError) return } buf.WriteTo(writer) ``` This is a common Go web pattern. Consider creating a helper method on Handlers.
sneak commented 2026-02-16 07:00:48 +01:00
Owner
Copy Link

do it, using the helper method. apply it in all places this pattern appears. create a PR.

do it, using the helper method. apply it in all places this pattern appears. create a PR.
sneak closed this issue 2026-02-16 07:05:45 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#42
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?