26f1458a2d
bd0e15bb6 Optimised images with calibre/image-actions 59830ea44 Remove comments from quickstart code samples 348821b5d Remove image-actions 1cbbd26a9 Update index.md bcf3de764 Update index.md fcf17e6ef Release 0.62.1 0956bde21 Merge branch 'temp621' 28d604756 releaser: Add release notes to /docs for release of 0.62.1 c895f12e7 Fix statement about version installed with apt-get (#854) e96928e38 Updated quickstart to split theme download and theme config add into separate blocks (#967) e099c1ad6 changed ".Title" to ".URL" (#972) bea71280d Fix small typing error (#1001) 9c28c422e Correct hyperlink for 'markdownify' function cf3844a06 Corrected small conjugation mistake (#996) 8b9c1d4f2 Added remarks about additional parameters in ref/relref (#995) ca06c9a56 Fix illegal character in render-link.html example 7a85c789b Update RenderString.md 69df3b17e Update configuration-markup.md 43e9222a2 Revert "Add shortcodes to note comparing with `markdownify`" 2bd5bc2d7 Add shortcodes to note comparing with `markdownify` ddfee60b7 Update configuration-markup.md f87c35fe2 docs: Remove extra double quotation 5ca5cc15f Update index.md 6e457f5ec Update configuration-markup.md 12df3c0fc Update configuration-markup.md 91977fd96 Update configuration-markup.md 377b8954a Update configuration-markup.md 99d691b5e Update hosting-on-render.md ccf855b22 Update index.md a945acc42 Update index.md 7d4f308d6 Fix Netlify config f4caa07f5 Release 0.62.0 79d18276f releaser: Add release notes to /docs for release of 0.62.0 9db1a08d1 Merge commit '8a4005cf2b0ef34265ff8051a6b76226685fc226' 79e556223 docs: More on hooks 5088c54df tpl: Do not return any value in errorf 98c8c8638 tpl: Add a warnf template func 4a9d76cea docs: Regen docshelper 626e53b55 Fix incorrect MIME type from image/jpg to image/jpeg f92f77c5d Preserve HTML Text for link render hooks 6db9c52b1 docs: Footnote 16801db3b Add render template hooks for links and images 0facb823c Merge commit '2e711a28c71e8667258e5ab824f9b9a71c261b0a' 79bf8ed4c markup/tableofcontents: Add config option for ordered list git-subtree-dir: docs git-subtree-split: bd0e15bb6063f7ad4f0c47eb33c8c0c23c962d13
2.6 KiB
| title | description | godocref | date | publishdate | lastmod | keywords | categories | menu | signature | workson | hugoversion | relatedfuncs | deprecated | aliases | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| safeURL | Declares the provided string as a safe URL or URL substring. | https://golang.org/pkg/html/template/#HTMLEscape | 2017-02-01 | 2017-02-01 | 2017-02-01 |
|
|
|
|
false |
safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.
Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.
The following examples use a site config.toml with the following menu entry:
{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
-
{{ range .Site.Menus.main }}
- {{ .Name }} {{ end }}
This partial would produce the following HTML output:
{{< output file="bad-url-sidebar-menu-output.html" >}}
{{< /output >}}The odd output can be remedied by adding | safeURL to our .URL page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
- {{ .Name }}
With the .URL page variable piped through safeURL, we get the desired output:
{{< output file="correct-url-sidebar-menu-output.html" >}}
{{< /output >}}