hugo/content/functions/safeURL.md
Bjørn Erik Pedersen ba45da9d03 Squashed 'docs/' changes from 44fe0285..32356e4e
32356e4e Fix typo in header of shortcode-templates.md
c8f1a2d2 Correct code example for index template function
bfa6a55d Escape code fencing
ff8b2f99 Fix typos in deployment with wercker tutorial
557c36e8 theme: Merge commit '7fbb4bed25001182bfeb91f79db0f0c1936582ee'
7fbb4bed Squashed 'themes/gohugoioTheme/' changes from 7dd8a302..ca53082d
ce31cee0 Add "See Also" config
158cee1b Make the tags into keywords
61600be6 Add a note to the related section
49edb5a2 Relase 0.27.1
c9bbc001 releaser: Add release notes to /docs for release of 0.27.1
213c6c3b Add bugs poster
8b4590cd Add KeyCDN integration tutorial
2b277859 Add tutorial videos to several docs pages
950fef1f Update roadmap to link to the correct milestones page
496f5bf6 Rename relnotes
d6f9378d Bump Netlify versions to 0.27
087fde7f Update 0.27 release notes
603f94ae docs: Document Related Content
3790f6a3 releaser: Bump versions for release of 0.27
0948868c releaser: Add release notes to /docs for release of 0.27

git-subtree-dir: docs
git-subtree-split: 32356e4eabe357ae914f4d1d59e8ae31ce936723
2017-09-21 19:03:00 +02:00

2.6 KiB

title description godocref date publishdate lastmod keywords categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL Declares the provided string as a safe URL or URL substring. https://golang.org/pkg/html/template/#HTMLEscape 2017-02-01 2017-02-01 2017-02-01
strings
urls
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

    {{ range .Site.Menus.main }}
  • {{ .Name }}
  • {{ end }}
{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .Title page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

  • {{ .Name }}
{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

{{< /output >}}