fix: address Copilot review comments for auto-escape feature

- Fix io.Writer contract violation in replacerWriter.Write()
  The Write method now correctly returns len(p) as required by io.Writer interface, instead of returning the transformed string length

- Fix potential nil panic in AddSafeFilter()
  Call ensureMapIsCreated() before checking c.filters["safe"] to prevent
  nil map access

These issues were identified in PR #111 review comments but were intentionally merged without fixes in order to reduce the chance of a conflict with another incoming PR. This commit addresses both concerns to ensure proper runtime behavior.

Author: osteele

expressions/filters.go

@@ -57,8 +57,8 @@ func (c *Config) AddFilter(name string, fn any) {
 }
 
 func (c *Config) AddSafeFilter() {
+	c.ensureMapIsCreated()
 	if c.filters["safe"] == nil {
-		c.ensureMapIsCreated()
 		c.filters["safe"] = func(in interface{}) interface{} {
 			if in, alreadySafe := in.(values.SafeValue); alreadySafe {
 				return in

expressions/filters_test.go

@@ -71,3 +71,37 @@ func TestContext_runFilter(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "(self, 11)", out)
 }
+
+// TestAddSafeFilterNilMap verifies that AddSafeFilter doesn't panic
+// when called on a Config with nil filters map
+func TestAddSafeFilterNilMap(t *testing.T) {
+	// Create a config without initializing filters map
+	cfg := &Config{}
+	
+	// This should not panic even though filters map is nil
+	require.NotPanics(t, func() {
+		cfg.AddSafeFilter()
+	}, "AddSafeFilter should not panic with nil filters map")
+	
+	// Verify the safe filter was added
+	require.NotNil(t, cfg.filters)
+	require.NotNil(t, cfg.filters["safe"])
+	
+	// Test that calling AddSafeFilter again doesn't duplicate
+	cfg.AddSafeFilter()
+	require.NotNil(t, cfg.filters["safe"])
+	
+	// Test the safe filter works correctly
+	safeFilter := cfg.filters["safe"].(func(interface{}) interface{})
+	
+	// Test with regular value
+	result := safeFilter("test")
+	safeVal, ok := result.(values.SafeValue)
+	require.True(t, ok, "Should return SafeValue")
+	require.Equal(t, "test", safeVal.Value)
+	
+	// Test with already safe value
+	alreadySafe := values.SafeValue{Value: "already safe"}
+	result2 := safeFilter(alreadySafe)
+	require.Equal(t, alreadySafe, result2, "Should return the same SafeValue if already safe")
+}

render/autoescape_test.go

@@ -73,3 +73,36 @@ func TestRenderEscapeFilter(t *testing.T) {
 		)
 	})
 }
+
+// TestReplacerWriterIOContract verifies that replacerWriter.Write correctly
+// implements the io.Writer contract by returning len(p)
+func TestReplacerWriterIOContract(t *testing.T) {
+	buf := new(bytes.Buffer)
+	rw := &replacerWriter{
+		replacer: HtmlEscaper,
+		w:        buf,
+	}
+
+	// Test with input that gets escaped (different output length)
+	input := []byte("<script>")
+	n, err := rw.Write(input)
+	require.NoError(t, err)
+	require.Equal(t, len(input), n, "Write must return len(p) per io.Writer contract")
+	require.Equal(t, "&lt;script&gt;", buf.String(), "Content should be escaped")
+
+	// Test with normal input (same output length)
+	buf.Reset()
+	input2 := []byte("hello world")
+	n2, err2 := rw.Write(input2)
+	require.NoError(t, err2)
+	require.Equal(t, len(input2), n2, "Write must return len(p) for normal input")
+	require.Equal(t, "hello world", buf.String())
+
+	// Test with empty input
+	buf.Reset()
+	input3 := []byte("")
+	n3, err3 := rw.Write(input3)
+	require.NoError(t, err3)
+	require.Equal(t, 0, n3, "Write must return 0 for empty input")
+	require.Equal(t, "", buf.String())
+}

render/render.go

@@ -164,7 +164,11 @@ type replacerWriter struct {
 }
 
 func (h *replacerWriter) Write(p []byte) (n int, err error) {
-	return h.WriteString(string(p))
+	_, err = h.WriteString(string(p))
+	if err != nil {
+		return 0, err
+	}
+	return len(p), nil
 }
 
 func (h *replacerWriter) WriteString(s string) (n int, err error) {