Harden local runtime safety and error handling

internal/handlers/web_test.go

@@ -0,0 +1,47 @@
+package handlers
+
+import (
+	"errors"
+	"html/template"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+func TestWebHandlerRenderHidesTemplateExecutionError(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	tmpl := template.Must(template.New("broken.html").Funcs(template.FuncMap{
+		"boom": func() (string, error) {
+			return "", errors.New("secret template failure")
+		},
+	}).Parse(`{{define "broken.html"}}{{boom}}{{end}}`))
+
+	handler := &WebHandler{
+		templates: map[string]*template.Template{
+			"broken.html": tmpl,
+		},
+	}
+
+	rec := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(rec)
+	ctx.Request = httptest.NewRequest(http.MethodGet, "/broken", nil)
+
+	handler.render(ctx, "broken.html", gin.H{})
+
+	if rec.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d", rec.Code)
+	}
+	if body := strings.TrimSpace(rec.Body.String()); body != "Template error" {
+		t.Fatalf("expected generic template error, got %q", body)
+	}
+	if len(ctx.Errors) != 1 {
+		t.Fatalf("expected logged template error, got %d", len(ctx.Errors))
+	}
+	if !strings.Contains(ctx.Errors.String(), "secret template failure") {
+		t.Fatalf("expected original error in gin context, got %q", ctx.Errors.String())
+	}
+}