--- title: safe.URL description: Declares the given string as a safe URL or URL substring. categories: [] keywords: [] action: aliases: [safeURL] related: - functions/safe/CSS - functions/safe/HTML - functions/safe/HTMLAttr - functions/safe/JS - functions/safe/JSStr returnType: template.URL signatures: [safe.URL INPUT] aliases: [/functions/safeurl] --- `safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector. Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless. The following examples use a [site `hugo.toml`][configuration] with the following [menu entry][menus]: {{< code-toggle file=hugo >}} [[menus.main]] name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code-toggle >}} The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example: {{< code file=layouts/partials/bad-url-sidebar-menu.html >}}