hugo/content/functions/safeURL.md

---
title: safeURL
description: Declares the provided string as a safe URL or URL substring.
godocref: https://golang.org/pkg/html/template/#HTMLEscape
date: 2017-02-01
publishdate: 2017-02-01
lastmod: 2017-02-01
keywords: [strings,urls]
categories: [functions]
menu:
  docs:
    parent: "functions"
signature: ["safeURL INPUT"]
workson: []
hugoversion:
relatedfuncs: []
deprecated: false
aliases: []
---

`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.

Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:

{{< code file="config.toml" copy="false" >}}
[[menu.main]]
    name = "IRC: #golang at freenode"
    url = "irc://irc.freenode.net/#golang"
{{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
  {{ range .Site.Menus.main }}
  <li><a href="{{ .URL }}">{{ .Name }}</a></li>
  {{ end }}
</ul>
{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}

The odd output can be remedied by adding ` | safeURL` to our `.Title` page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
</ul>
{{< /code >}}

With the `.URL` page variable piped through `safeURL`, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}
<ul class="sidebar-menu">
    <li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}

[configuration]: /getting-started/configuration/
[menus]: /content-management/menus/
[RFC 3986]: http://tools.ietf.org/html/rfc3986
Squashed 'docs/' content from commit f887bd7b git-subtree-dir: docs git-subtree-split: f887bd7b4e3e7c7e76cd63951e5b0d37d8fe0ac7 2017-08-10 11:18:22 -04:00			`---`
			`title: safeURL`
			`description: Declares the provided string as a safe URL or URL substring.`
			`godocref: https://golang.org/pkg/html/template/#HTMLEscape`
			`date: 2017-02-01`
			`publishdate: 2017-02-01`
			`lastmod: 2017-02-01`
Squashed 'docs/' changes from 44fe0285..32356e4e 32356e4e Fix typo in header of shortcode-templates.md c8f1a2d2 Correct code example for index template function bfa6a55d Escape code fencing ff8b2f99 Fix typos in deployment with wercker tutorial 557c36e8 theme: Merge commit '7fbb4bed25001182bfeb91f79db0f0c1936582ee' 7fbb4bed Squashed 'themes/gohugoioTheme/' changes from 7dd8a302..ca53082d ce31cee0 Add "See Also" config 158cee1b Make the tags into keywords 61600be6 Add a note to the related section 49edb5a2 Relase 0.27.1 c9bbc001 releaser: Add release notes to /docs for release of 0.27.1 213c6c3b Add bugs poster 8b4590cd Add KeyCDN integration tutorial 2b277859 Add tutorial videos to several docs pages 950fef1f Update roadmap to link to the correct milestones page 496f5bf6 Rename relnotes d6f9378d Bump Netlify versions to 0.27 087fde7f Update 0.27 release notes 603f94ae docs: Document Related Content 3790f6a3 releaser: Bump versions for release of 0.27 0948868c releaser: Add release notes to /docs for release of 0.27 git-subtree-dir: docs git-subtree-split: 32356e4eabe357ae914f4d1d59e8ae31ce936723 2017-09-21 13:03:00 -04:00			`keywords: [strings,urls]`
Squashed 'docs/' content from commit f887bd7b git-subtree-dir: docs git-subtree-split: f887bd7b4e3e7c7e76cd63951e5b0d37d8fe0ac7 2017-08-10 11:18:22 -04:00			`categories: [functions]`
			`menu:`
			`docs:`
			`parent: "functions"`
			`signature: ["safeURL INPUT"]`
			`workson: []`
			`hugoversion:`
			`relatedfuncs: []`
			`deprecated: false`
			`aliases: []`
			`---`

			`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.

			Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.

			The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:

			`{{< code file="config.toml" copy="false" >}}`
			`[[menu.main]]`
			`name = "IRC: #golang at freenode"`
			`url = "irc://irc.freenode.net/#golang"`
			`{{< /code >}}`

			`The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:`

			`{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`{{ range .Site.Menus.main }}`
			`<li><a href="{{ .URL }}">{{ .Name }}</a></li>`
			`{{ end }}`
			`</ul>`
			`{{< /code >}}`

			`This partial would produce the following HTML output:`

			`{{< output file="bad-url-sidebar-menu-output.html" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>`
			`</ul>`
			`{{< /output >}}`

			The odd output can be remedied by adding ` \| safeURL` to our `.Title` page variable:

			`{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}`
			`<!-- This unordered list may be part of a sidebar menu -->`
			`<ul>`
			`<li><a href="{{ .URL \| safeURL }}">{{ .Name }}</a></li>`
			`</ul>`
			`{{< /code >}}`

			With the `.URL` page variable piped through `safeURL`, we get the desired output:

			`{{< output file="correct-url-sidebar-menu-output.html" >}}`
			`<ul class="sidebar-menu">`
			`<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>`
			`</ul>`
			`{{< /output >}}`

			`[configuration]: /getting-started/configuration/`
			`[menus]: /content-management/menus/`
			`[RFC 3986]: http://tools.ietf.org/html/rfc3986`