hugo/content/en/functions/safeURL.md
Bjørn Erik Pedersen aa5ac36a3e Squashed 'docs/' changes from 327003421..39a7fac34
39a7fac34 Add .hugo_build.lock to .gitignore
920c716a4 fix a typo: to -> two (#1545)
6f0ba9593 Remove godocref from front matter (#1543)
8ec3d5948 remove link to wercker (#1544)
b56008719 Delete deployment-with-wercker.md (#1542)
e33d29b02 Fix broken links (#1538)
29e9d4c21 Sort commenting systems (#1541)
0b7ea60a7 Delete the news page "HTTP/2 Server Push in Hugo"
6e1515857 Fix quick-start.md (#1525)
62168ab35 Update comments.md (#1535)
d92191512 Small typo (#1539)
129c8834a Correct the PostCSS noMap default value (#1534)
6a5b29fcc Add example to index function (#1536)
e3dd8c507 Update output-formats.md
0c9321ca0 Remove reference to using LiveReload in production environment
4072d6776 Mod testing
09fabf7d6 Fix typo (#1524)
2fce813c8 Fix grammatical error in quick-start.md (#1523)
45230ab4a Hugo Mod testing
2dd4cd9e7 Update index.md
2c3ed62fd netlify: Bump to 0.88.1
648e2a007 Merge branch 'tempv0.88.1'
f216eade1 releaser: Add release notes to /docs for release of 0.88.1
8a7b64d4b Fix typographical errors in 0.88.0 release notes
a4bf86300 Release 0.88
738bb8f38 releaser: Add release notes to /docs for release of 0.88.0
8fcf2c55d highlight: Remove some pygments references
f2b173de2 HTTPS link
c88881c8e Adding link to nginx documentation
6b0a74fe0 Fix typos in docs (#1516)
498b8f0f1 Fix typos in time.Format (#1515)
28723fad6 Fix taxonomy and term examples (#1514)
3ffd00e12 Update front-matter.md
7cc1da82e Fix grammar in 0.86.1 release notes (#1510)
0009c51c3 Update docs helper
7e2f430f4 Update index.md
7857eae7e releaser: Add release notes to /docs for release of 0.87.0
1f08b684b releaser: Add release notes to /docs for release of 0.87.0
36a9e701c docs: Adjust config docs
0f588438e docs: Regen CLI docs
1b4682cd8 docs: Regen docs helper
bc8bbaae9 Merge commit 'bd77f6e1c99e04a476f0b1bb4e44569134e02399' into release-0.87.0
6f2480643 docs: Adjust time zone docs

git-subtree-dir: docs
git-subtree-split: 39a7fac343c289906db644c96079fdcc0298582f
2021-10-31 13:51:51 +01:00

2.5 KiB

title description date publishdate lastmod keywords categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL Declares the provided string as a safe URL or URL substring. 2017-02-01 2017-02-01 2017-02-01
strings
urls
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

    {{ range .Site.Menus.main }}
  • {{ .Name }}
  • {{ end }}
{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .URL page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

  • {{ .Name }}
{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

{{< /output >}}