github/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2024-11-14 20:37:55 -05:00
Code Issues Projects Releases Packages Wiki Activity
hugo/content/en/functions/safeURL.md
Bjørn Erik Pedersen 41bc6f702a Squashed 'docs/' changes from 2201ac0e5..2c0125b52 
2c0125b52 Remove .Site.Author
2cf8841b3 Update partialCached.md (#1924)
385487191 Update data-templates.md (#1926)
ce207e141 Remove redundant markdown and fix a few typos (#1936)
3687c2953 Make heading id linkable, take 2
45c79bea7 Make heading id linkable
b22079344 Delete duplicates the lines 557-569 and 570-582. (#1934)
0a90dc122 Rework the taxonomy variables page (#1935)
7f8979c50 Update theme
26e682a3a Update multilingual.md
d40e7693f Update postcss.md
375d75c01 Update postcss npm instructions (#1931)
63020094a Emphasize Window shell selection (#1930)
56824be2c Update configuration.md
b7b8f16b3 Docu 'Theme components': minor fix (#1929)
09dc81a05 Remove Docker from BSD page (#1927)
205fea204 netlify: Hugo 0.108.0
6abe49c28 Merge commit 'da670c38ee63a7fef25e2b9f42519232055b60dc'
12b59a4c5 docs: Add basic doc for wrapStandAloneImageWithinParagraph etc.
ba07bd970 dartsass: Add sourceMapIncludeSources option

git-subtree-dir: docs
git-subtree-split: 2c0125b5290494d49334606c451446ebd9df3c21
2022-12-20 11:04:41 +01:00

2.5 KiB
Raw Blame History

title description date publishdate lastmod keywords categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL Declares the provided string as a safe URL or URL substring. 2017-02-01 2017-02-01 2017-02-01
strings
urls
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

    {{ range .Site.Menus.main }}
  • {{ .Name }}
    • {{ end }}
{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .URL page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

  • {{ .Name }}
{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

{{< /output >}}