mirror of
https://github.com/gohugoio/hugo.git
synced 2024-11-14 20:37:55 -05:00
d3927310d5
1798dc0d5 Update theme 403fa716e Update CLI documentation (#2092) aade5a09e Correct media subtype example 53cd9dea6 netlify: Hugo 0.112.3 b78b86cb1 Add source/target warning to resources.Copy (#2091) 50c299729 netlify: Hugo 0.112.2 73197046f Change config.xxx to hugo.xxx throughout the documentation (#2090) d489d4c6f Add hugo.WorkingDir to docs (#2089) 7487df809 Fix typos (#2088) 6d0572cd6 netlify: Hugo 0.112.1 6838600b2 netlify: Hugo 0.112.0 513e7a80f Merge branch 'tempv0.112.0' 91eb44275 Some more about 0.112.0 bd3b33a27 docs: Regen docshelper fb3027daf docs: Regen CLI docs 8e7b8e987 Merge commit 'f96384a3b596f9bc0a3a035970b09b2c601f0ccb' a942ceef4 tpl/tplimpl: Add img loading attribute to figure shortcode (#10927) 0e0c7b25e tpl/urls: Return empty string when JoinPath has zero args 310ce949a tpl/urls: Add JoinPath template function ae435ca77 tpl: Add math.Abs f340139f8 Revert "Update syntax-highlighting.md (#10929)" (#10930) 917a0e24d Update syntax-highlighting.md (#10929) git-subtree-dir: docs git-subtree-split: 1798dc0d54ce048dd975863b490cd809ef14268a
64 lines
2.3 KiB
Markdown
64 lines
2.3 KiB
Markdown
---
|
|
title: safeURL
|
|
description: Declares the provided string as a safe URL or URL substring.
|
|
keywords: [strings,urls]
|
|
categories: [functions]
|
|
menu:
|
|
docs:
|
|
parent: functions
|
|
signature: ["safeURL INPUT"]
|
|
relatedfuncs: []
|
|
---
|
|
|
|
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
|
|
|
|
Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.
|
|
|
|
The following examples use a [site `hugo.toml`][configuration] with the following [menu entry][menus]:
|
|
|
|
{{< code-toggle file="hugo" copy=false >}}
|
|
[[menu.main]]
|
|
name = "IRC: #golang at freenode"
|
|
url = "irc://irc.freenode.net/#golang"
|
|
{{< /code-toggle >}}
|
|
|
|
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
|
|
|
|
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy=false >}}
|
|
<!-- This unordered list may be part of a sidebar menu -->
|
|
<ul>
|
|
{{ range .Site.Menus.main }}
|
|
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
|
|
{{ end }}
|
|
</ul>
|
|
{{< /code >}}
|
|
|
|
This partial would produce the following HTML output:
|
|
|
|
```html
|
|
<!-- This unordered list may be part of a sidebar menu -->
|
|
<ul>
|
|
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
|
|
</ul>
|
|
```
|
|
|
|
The odd output can be remedied by adding ` | safeURL` to our `.URL` page variable:
|
|
|
|
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy=false >}}
|
|
<!-- This unordered list may be part of a sidebar menu -->
|
|
<ul>
|
|
<li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
|
|
</ul>
|
|
{{< /code >}}
|
|
|
|
With the `.URL` page variable piped through `safeURL`, we get the desired output:
|
|
|
|
```html
|
|
<ul class="sidebar-menu">
|
|
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
|
|
</ul>
|
|
```
|
|
|
|
[configuration]: /getting-started/configuration/
|
|
[menus]: /content-management/menus/
|
|
[RFC 3986]: https://tools.ietf.org/html/rfc3986
|