hugo/docs/content/en/functions/safeURL.md

---
title: safeURL
description: Declares the provided string as a safe URL or URL substring.
date: 2017-02-01
publishdate: 2017-02-01
lastmod: 2017-02-01
keywords: [strings,urls]
categories: [functions]
menu:
  docs:
    parent: "functions"
signature: ["safeURL INPUT"]
workson: []
hugoversion:
relatedfuncs: []
deprecated: false
aliases: []
---

`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.

Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:

{{< code file="config.toml" copy="false" >}}
[[menu.main]]
    name = "IRC: #golang at freenode"
    url = "irc://irc.freenode.net/#golang"
{{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
  {{ range .Site.Menus.main }}
  <li><a href="{{ .URL }}">{{ .Name }}</a></li>
  {{ end }}
</ul>
{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}

The odd output can be remedied by adding ` | safeURL` to our `.URL` page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
</ul>
{{< /code >}}

With the `.URL` page variable piped through `safeURL`, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}
<ul class="sidebar-menu">
    <li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}

[configuration]: /getting-started/configuration/
[menus]: /content-management/menus/
[RFC 3986]: https://tools.ietf.org/html/rfc3986
Squashed 'docs/' content from commit fdea5430f git-subtree-dir: docs git-subtree-split: fdea5430f89dfd849d39212abdf5ace0a4763e5a 2019-10-21 04:22:28 -04:00			`---`
			`title: safeURL`
			`description: Declares the provided string as a safe URL or URL substring.`
			`date: 2017-02-01`
			`publishdate: 2017-02-01`
			`lastmod: 2017-02-01`
			`keywords: [strings,urls]`
			`categories: [functions]`
			`menu:`
			`docs:`
			`parent: "functions"`
			`signature: ["safeURL INPUT"]`
			`workson: []`
			`hugoversion:`
			`relatedfuncs: []`
			`deprecated: false`
			`aliases: []`
			`---`

			`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.

			Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.

			The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:

			`{{< code file="config.toml" copy="false" >}}`
			`[[menu.main]]`
			`name = "IRC: #golang at freenode"`
			`url = "irc://irc.freenode.net/#golang"`
			`{{< /code >}}`

			`The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:`

			`{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`{{ range .Site.Menus.main }}`
			`<li><a href="{{ .URL }}">{{ .Name }}</a></li>`
			`{{ end }}`
			`</ul>`
			`{{< /code >}}`

			`This partial would produce the following HTML output:`

			`{{< output file="bad-url-sidebar-menu-output.html" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>`
			`</ul>`
			`{{< /output >}}`

Squashed 'docs/' changes from 54f0e8776..bd0e15bb6 bd0e15bb6 Optimised images with calibre/image-actions 59830ea44 Remove comments from quickstart code samples 348821b5d Remove image-actions 1cbbd26a9 Update index.md bcf3de764 Update index.md fcf17e6ef Release 0.62.1 0956bde21 Merge branch 'temp621' 28d604756 releaser: Add release notes to /docs for release of 0.62.1 c895f12e7 Fix statement about version installed with apt-get (#854) e96928e38 Updated quickstart to split theme download and theme config add into separate blocks (#967) e099c1ad6 changed ".Title" to ".URL" (#972) bea71280d Fix small typing error (#1001) 9c28c422e Correct hyperlink for 'markdownify' function cf3844a06 Corrected small conjugation mistake (#996) 8b9c1d4f2 Added remarks about additional parameters in ref/relref (#995) ca06c9a56 Fix illegal character in render-link.html example 7a85c789b Update RenderString.md 69df3b17e Update configuration-markup.md 43e9222a2 Revert "Add shortcodes to note comparing with `markdownify`" 2bd5bc2d7 Add shortcodes to note comparing with `markdownify` ddfee60b7 Update configuration-markup.md f87c35fe2 docs: Remove extra double quotation 5ca5cc15f Update index.md 6e457f5ec Update configuration-markup.md 12df3c0fc Update configuration-markup.md 91977fd96 Update configuration-markup.md 377b8954a Update configuration-markup.md 99d691b5e Update hosting-on-render.md ccf855b22 Update index.md a945acc42 Update index.md 7d4f308d6 Fix Netlify config f4caa07f5 Release 0.62.0 79d18276f releaser: Add release notes to /docs for release of 0.62.0 9db1a08d1 Merge commit '8a4005cf2b0ef34265ff8051a6b76226685fc226' 79e556223 docs: More on hooks 5088c54df tpl: Do not return any value in errorf 98c8c8638 tpl: Add a warnf template func 4a9d76cea docs: Regen docshelper 626e53b55 Fix incorrect MIME type from image/jpg to image/jpeg f92f77c5d Preserve HTML Text for link render hooks 6db9c52b1 docs: Footnote 16801db3b Add render template hooks for links and images 0facb823c Merge commit '2e711a28c71e8667258e5ab824f9b9a71c261b0a' 79bf8ed4c markup/tableofcontents: Add config option for ordered list git-subtree-dir: docs git-subtree-split: bd0e15bb6063f7ad4f0c47eb33c8c0c23c962d13 2020-01-05 05:13:09 -05:00			The odd output can be remedied by adding ` \| safeURL` to our `.URL` page variable:
Squashed 'docs/' content from commit fdea5430f git-subtree-dir: docs git-subtree-split: fdea5430f89dfd849d39212abdf5ace0a4763e5a 2019-10-21 04:22:28 -04:00
			`{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`<li><a href="{{ .URL \| safeURL }}">{{ .Name }}</a></li>`
			`</ul>`
			`{{< /code >}}`

			With the `.URL` page variable piped through `safeURL`, we get the desired output:

			`{{< output file="correct-url-sidebar-menu-output.html" >}}`
			`<ul class="sidebar-menu">`
			`<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>`
			`</ul>`
			`{{< /output >}}`

			`[configuration]: /getting-started/configuration/`
			`[menus]: /content-management/menus/`
Squashed 'docs/' changes from 19f44e150..ec0abe052 ec0abe052 Update index.md ed44339cd Update bio.md cef04eb95 Minor edits 4d45dcc8d Submitting Digital.gov to the Hugo Showcase d35126af7 Azure uses storage containers, not buckets; edited accordingly. (#1078) 9c249cc89 fix grammatical error 9728699a3 Release Hugo 0.69.2 cccabed0c Merge branch 'temp692' 3d0a740c4 releaser: Add release notes to /docs for release of 0.69.2 b760aceb1 HTTPS external links in docs 49e4631b0 Release 0.69.1 01f3da870 Merge branch 'temp691' 8280d85aa releaser: Add release notes to /docs for release of 0.69.1 40ea44d24 fix typo (#1088) 725f53643 Rebuild cache 80ee1efd9 Add KeyCDN Showcase f253e906e docs: Fix typo in Hugo's Security Model b3ffd1ad3 Mentioning a range is equivalent to foreach (#1086) 0c396911f Update jsonify function docs 376befc9a Fix typo (#1084) 4bdc9bc72 Mark .Page.UniqueID as deprecated and add .File.UniqueID 30a7b7bf2 Update hosting-on-github.md c5db4ba2b Update postprocess.md 1121f74a5 Update install guide with Scoop extended 8988aa6fa Merge branch 'postprocess' 225d3f9c7 Release Hugo 0.69.0 4caf7a89a releaser: Add release notes to /docs for release of 0.69.0 664b2a0fa Document resources.PostProcess and buildStats 9737b34e9 docs: Regen docs helper 0fab3ba24 Merge commit 'da3c3e5fbd0de65f956618cd2e35401460a3cd02' 96dad83b1 Update hosting-on-aws-amplify.md 57eb27897 Merge commit 'c494c37a4523fbf2db6274dc87e0877fd5bec24b' dcc7afef7 fix typo in getting started git-subtree-dir: docs git-subtree-split: ec0abe052bcfebc65c323df4ff14ad277bb405d8 2020-05-06 06:12:21 -04:00			`[RFC 3986]: https://tools.ietf.org/html/rfc3986`