tpl: Enable safeHTMLAttr

See #2234 and #347
This commit is contained in:
marco 2016-06-22 13:21:04 +02:00 committed by Anthony Fok
parent cdd6a124c2
commit c21e2b3b4d
2 changed files with 1 additions and 6 deletions

View file

@ -546,7 +546,6 @@ rendering the whole string as plain-text like this:
<p>© 2015 Jane Doe. &lt;a href=&#34;http://creativecommons.org/licenses/by/4.0/&#34;&gt;Some rights reserved&lt;/a&gt;.</p> <p>© 2015 Jane Doe. &lt;a href=&#34;http://creativecommons.org/licenses/by/4.0/&#34;&gt;Some rights reserved&lt;/a&gt;.</p>
</blockquote> </blockquote>
<!--
### safeHTMLAttr ### safeHTMLAttr
Declares the provided string as a "safe" HTML attribute Declares the provided string as a "safe" HTML attribute
from a trusted source, for example, ` dir="ltr"`, from a trusted source, for example, ` dir="ltr"`,
@ -560,8 +559,6 @@ Example: Given a site-wide `config.toml` that contains this menu entry:
* `<a href="{{ .URL }}">``<a href="#ZgotmplZ">` (Bad!) * `<a href="{{ .URL }}">``<a href="#ZgotmplZ">` (Bad!)
* `<a {{ printf "href=%q" .URL | safeHTMLAttr }}>``<a href="irc://irc.freenode.net/#golang">` (Good!) * `<a {{ printf "href=%q" .URL | safeHTMLAttr }}>``<a href="irc://irc.freenode.net/#golang">` (Good!)
-->
### safeCSS ### safeCSS
Declares the provided string as a known "safe" CSS string Declares the provided string as a known "safe" CSS string

View file

@ -1576,9 +1576,6 @@ func readDirFromWorkingDir(i interface{}) ([]os.FileInfo, error) {
} }
// safeHTMLAttr returns a given string as html/template HTMLAttr content. // safeHTMLAttr returns a given string as html/template HTMLAttr content.
//
// safeHTMLAttr is currently disabled, pending further discussion
// on its use case. 2015-01-19
func safeHTMLAttr(a interface{}) template.HTMLAttr { func safeHTMLAttr(a interface{}) template.HTMLAttr {
return template.HTMLAttr(cast.ToString(a)) return template.HTMLAttr(cast.ToString(a))
} }
@ -1806,6 +1803,7 @@ func init() {
"replaceRE": replaceRE, "replaceRE": replaceRE,
"safeCSS": safeCSS, "safeCSS": safeCSS,
"safeHTML": safeHTML, "safeHTML": safeHTML,
"safeHTMLAttr": safeHTMLAttr,
"safeJS": safeJS, "safeJS": safeJS,
"safeURL": safeURL, "safeURL": safeURL,
"sanitizeURL": helpers.SanitizeURL, "sanitizeURL": helpers.SanitizeURL,