github/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2024-11-21 20:46:30 -05:00
Code Issues Projects Releases Packages Wiki Activity

[Docs] Incorporate some great ideas by @mohae into the safeUrl docs

Browse source 
E.g. how `#ZgotomlZ` is used to "defang" the URL
This commit is contained in:
Anthony Fok 2015-01-20 00:24:47 -07:00
parent 724cc0ddff
commit 2342655fde
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docs/content/templates/functions.md
View file

@ -326,9 +326,10 @@ filtered out since they are a frequently exploited injection vector.
[RFC 3986]: http://tools.ietf.org/html/rfc3986
Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:`
are considered safe. All other URI schemes, e.g. `irc:` and
`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe
content indicator.
are considered safe by Go. If any other URI schemes, e.g. `irc:` and
`javascript:`, are detected, the whole URL would be replaced with
`#ZgotmplZ`. This is to "defang" any potential attack in the URL,
rendering it useless.
Example: Given a site-wide `config.toml` that contains this menu entry: