ba45da9d03
32356e4e Fix typo in header of shortcode-templates.md c8f1a2d2 Correct code example for index template function bfa6a55d Escape code fencing ff8b2f99 Fix typos in deployment with wercker tutorial 557c36e8 theme: Merge commit '7fbb4bed25001182bfeb91f79db0f0c1936582ee' 7fbb4bed Squashed 'themes/gohugoioTheme/' changes from 7dd8a302..ca53082d ce31cee0 Add "See Also" config 158cee1b Make the tags into keywords 61600be6 Add a note to the related section 49edb5a2 Relase 0.27.1 c9bbc001 releaser: Add release notes to /docs for release of 0.27.1 213c6c3b Add bugs poster 8b4590cd Add KeyCDN integration tutorial 2b277859 Add tutorial videos to several docs pages 950fef1f Update roadmap to link to the correct milestones page 496f5bf6 Rename relnotes d6f9378d Bump Netlify versions to 0.27 087fde7f Update 0.27 release notes 603f94ae docs: Document Related Content 3790f6a3 releaser: Bump versions for release of 0.27 0948868c releaser: Add release notes to /docs for release of 0.27 git-subtree-dir: docs git-subtree-split: 32356e4eabe357ae914f4d1d59e8ae31ce936723
2.6 KiB
| title | description | godocref | date | publishdate | lastmod | keywords | categories | menu | signature | workson | hugoversion | relatedfuncs | deprecated | aliases | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| safeURL | Declares the provided string as a safe URL or URL substring. | https://golang.org/pkg/html/template/#HTMLEscape | 2017-02-01 | 2017-02-01 | 2017-02-01 |
|
|
|
|
false |
safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.
Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.
The following examples use a site config.toml with the following menu entry:
{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
-
{{ range .Site.Menus.main }}
- {{ .Name }} {{ end }}
This partial would produce the following HTML output:
{{< output file="bad-url-sidebar-menu-output.html" >}}
{{< /output >}}The odd output can be remedied by adding | safeURL to our .Title page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
- {{ .Name }}
With the .URL page variable piped through safeURL, we get the desired output:
{{< output file="correct-url-sidebar-menu-output.html" >}}
{{< /output >}}