github/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2024-11-14 20:37:55 -05:00
Code Issues Projects Releases Packages Wiki Activity
hugo/docs/content/functions/safeURL.md
Bjørn Erik Pedersen 4c220c4ac2 Merge commit '6dbde8d731f221b027c0c60b772ba82dad759943' 
Fixes #3709
2017-07-18 10:33:58 +02:00

2.6 KiB
Raw Blame History

title description godocref date publishdate lastmod categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL Declares the provided string as a safe URL or URL substring. https://golang.org/pkg/html/template/#HTMLEscape 2017-02-01 2017-02-01 2017-02-01
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{% code file="config.toml" copy="false" %}}

[[menu.main]]
    name = "IRC: #golang at freenode"
    url = "irc://irc.freenode.net/#golang"

{{% /code %}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{% code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" %}}

<!-- This unordered list may be part of a sidebar menu -->
<ul>
  {{ range .Site.Menus.main }}
  <li><a href="{{ .URL }}">{{ .Name }}</a></li>
  {{ end }}
</ul>

{{% /code %}}

This partial would produce the following HTML output:

{{% output file="bad-url-sidebar-menu-output.html" %}}

<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>

{{% /output %}}

The odd output can be remedied by adding | safeURL to our .Title page variable:

{{% code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" %}}

<!-- This unordered list may be part of a sidebar menu -->
<ul>
    <li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
</ul>

{{% /code %}}

With the .URL page variable piped through safeURL, we get the desired output:

{{% output file="correct-url-sidebar-menu-output.html" %}}

<ul class="sidebar-menu">
    <li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>

{{% /output %}}