github/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2024-11-14 20:37:55 -05:00
Code Issues Projects Releases Packages Wiki Activity
hugo/content/en/functions/safeURL.md
Bjørn Erik Pedersen 26f1458a2d Squashed 'docs/' changes from 54f0e8776..bd0e15bb6 
bd0e15bb6 Optimised images with calibre/image-actions
59830ea44 Remove comments from quickstart code samples
348821b5d Remove image-actions
1cbbd26a9 Update index.md
bcf3de764 Update index.md
fcf17e6ef Release 0.62.1
0956bde21 Merge branch 'temp621'
28d604756 releaser: Add release notes to /docs for release of 0.62.1
c895f12e7 Fix statement about version installed with apt-get (#854)
e96928e38 Updated quickstart to split theme download and theme config add into separate blocks (#967)
e099c1ad6 changed ".Title" to ".URL" (#972)
bea71280d Fix small typing error (#1001)
9c28c422e Correct hyperlink for 'markdownify' function
cf3844a06 Corrected small conjugation mistake (#996)
8b9c1d4f2 Added remarks about additional parameters in ref/relref (#995)
ca06c9a56 Fix illegal character in render-link.html example
7a85c789b Update RenderString.md
69df3b17e Update configuration-markup.md
43e9222a2 Revert "Add shortcodes to note comparing with `markdownify`"
2bd5bc2d7 Add shortcodes to note comparing with `markdownify`
ddfee60b7 Update configuration-markup.md
f87c35fe2 docs: Remove extra double quotation
5ca5cc15f Update index.md
6e457f5ec Update configuration-markup.md
12df3c0fc Update configuration-markup.md
91977fd96 Update configuration-markup.md
377b8954a Update configuration-markup.md
99d691b5e Update hosting-on-render.md
ccf855b22 Update index.md
a945acc42 Update index.md
7d4f308d6 Fix Netlify config
f4caa07f5 Release 0.62.0
79d18276f releaser: Add release notes to /docs for release of 0.62.0
9db1a08d1 Merge commit '8a4005cf2b0ef34265ff8051a6b76226685fc226'
79e556223 docs: More on hooks
5088c54df tpl: Do not return any value in errorf
98c8c8638 tpl: Add a warnf template func
4a9d76cea docs: Regen docshelper
626e53b55 Fix incorrect MIME type from image/jpg to image/jpeg
f92f77c5d Preserve HTML Text for link render hooks
6db9c52b1 docs: Footnote
16801db3b Add render template hooks for links and images
0facb823c Merge commit '2e711a28c71e8667258e5ab824f9b9a71c261b0a'
79bf8ed4c markup/tableofcontents: Add config option for ordered list

git-subtree-dir: docs
git-subtree-split: bd0e15bb6063f7ad4f0c47eb33c8c0c23c962d13
2020-01-05 11:13:09 +01:00

72 lines
2.6 KiB
Markdown
Raw Blame History

---
title: safeURL
description: Declares the provided string as a safe URL or URL substring.
godocref: https://golang.org/pkg/html/template/#HTMLEscape
date: 2017-02-01
publishdate: 2017-02-01
lastmod: 2017-02-01
keywords: [strings,urls]
categories: [functions]
menu:
docs:
parent: "functions"
signature: ["safeURL INPUT"]
workson: []
hugoversion:
relatedfuncs: []
deprecated: false
aliases: []
---
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.
The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:
{{< code file="config.toml" copy="false" >}}
[[menu.main]]
name = "IRC: #golang at freenode"
url = "irc://irc.freenode.net/#golang"
{{< /code >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
{{ range .Site.Menus.main }}
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
{{ end }}
</ul>
{{< /code >}}
This partial would produce the following HTML output:
{{< output file="bad-url-sidebar-menu-output.html" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}
The odd output can be remedied by adding ` | safeURL` to our `.URL` page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
</ul>
{{< /code >}}
With the `.URL` page variable piped through `safeURL`, we get the desired output:
{{< output file="correct-url-sidebar-menu-output.html" >}}
<ul class="sidebar-menu">
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}
[configuration]: /getting-started/configuration/
[menus]: /content-management/menus/
[RFC 3986]: http://tools.ietf.org/html/rfc3986
Reference in a new issue View git blame Copy permalink