89044b8f87
ec0abe052 Update index.md ed44339cd Update bio.md cef04eb95 Minor edits 4d45dcc8d Submitting Digital.gov to the Hugo Showcase d35126af7 Azure uses storage containers, not buckets; edited accordingly. (#1078) 9c249cc89 fix grammatical error 9728699a3 Release Hugo 0.69.2 cccabed0c Merge branch 'temp692' 3d0a740c4 releaser: Add release notes to /docs for release of 0.69.2 b760aceb1 HTTPS external links in docs 49e4631b0 Release 0.69.1 01f3da870 Merge branch 'temp691' 8280d85aa releaser: Add release notes to /docs for release of 0.69.1 40ea44d24 fix typo (#1088) 725f53643 Rebuild cache 80ee1efd9 Add KeyCDN Showcase f253e906e docs: Fix typo in Hugo's Security Model b3ffd1ad3 Mentioning a range is equivalent to foreach (#1086) 0c396911f Update jsonify function docs 376befc9a Fix typo (#1084) 4bdc9bc72 Mark .Page.UniqueID as deprecated and add .File.UniqueID 30a7b7bf2 Update hosting-on-github.md c5db4ba2b Update postprocess.md 1121f74a5 Update install guide with Scoop extended 8988aa6fa Merge branch 'postprocess' 225d3f9c7 Release Hugo 0.69.0 4caf7a89a releaser: Add release notes to /docs for release of 0.69.0 664b2a0fa Document resources.PostProcess and buildStats 9737b34e9 docs: Regen docs helper 0fab3ba24 Merge commit 'da3c3e5fbd0de65f956618cd2e35401460a3cd02' 96dad83b1 Update hosting-on-aws-amplify.md 57eb27897 Merge commit 'c494c37a4523fbf2db6274dc87e0877fd5bec24b' dcc7afef7 fix typo in getting started git-subtree-dir: docs git-subtree-split: ec0abe052bcfebc65c323df4ff14ad277bb405d8
2.6 KiB
| title | description | godocref | date | publishdate | lastmod | keywords | categories | menu | signature | workson | hugoversion | relatedfuncs | deprecated | aliases | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| safeURL | Declares the provided string as a safe URL or URL substring. | https://golang.org/pkg/html/template/#HTMLEscape | 2017-02-01 | 2017-02-01 | 2017-02-01 |
|
|
|
|
false |
safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.
Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.
The following examples use a site config.toml with the following menu entry:
{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
-
{{ range .Site.Menus.main }}
- {{ .Name }} {{ end }}
This partial would produce the following HTML output:
{{< output file="bad-url-sidebar-menu-output.html" >}}
{{< /output >}}The odd output can be remedied by adding | safeURL to our .URL page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
- {{ .Name }}
With the .URL page variable piped through safeURL, we get the desired output:
{{< output file="correct-url-sidebar-menu-output.html" >}}
{{< /output >}}