mirror of
https://github.com/gohugoio/hugo.git
synced 2024-11-21 20:46:30 -05:00
[Docs] Incorporate some great ideas by @mohae into the safeUrl
docs
E.g. how `#ZgotomlZ` is used to "defang" the URL
This commit is contained in:
parent
724cc0ddff
commit
2342655fde
1 changed files with 4 additions and 3 deletions
|
@ -326,9 +326,10 @@ filtered out since they are a frequently exploited injection vector.
|
||||||
[RFC 3986]: http://tools.ietf.org/html/rfc3986
|
[RFC 3986]: http://tools.ietf.org/html/rfc3986
|
||||||
|
|
||||||
Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:`
|
Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:`
|
||||||
are considered safe. All other URI schemes, e.g. `irc:` and
|
are considered safe by Go. If any other URI schemes, e.g. `irc:` and
|
||||||
`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe
|
`javascript:`, are detected, the whole URL would be replaced with
|
||||||
content indicator.
|
`#ZgotmplZ`. This is to "defang" any potential attack in the URL,
|
||||||
|
rendering it useless.
|
||||||
|
|
||||||
Example: Given a site-wide `config.toml` that contains this menu entry:
|
Example: Given a site-wide `config.toml` that contains this menu entry:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue