Skip to content
Permalink
Browse files

tpl: Fix internal templates usage of safeHTMLAttr

The `safeHTMLAttr` function operates on a full attribute definition, not
just within the attribute value.

Docs: https://gohugo.io/functions/safehtmlattr/

For `opengraph.html`, run the whole `content` HTML attribute through
`safeHTMLAttr`. That will preserve `+` signs in formatted dates.

For `vimeo_simple.html`, `safeHTMLAttr` was in the context of an
attribute value, thus having no effect. In this case we could replace it
with `safeURL`, but since the code is coming from an API it is safer to
just let Go's template engine sanitize the value as it already does with
`provider_url`.

Fixes #5236 (no need to change Go upstream)
Related to #5246
  • Loading branch information...
rhcarvalho authored and bep committed Apr 22, 2019
1 parent 71b8d8b commit e22b3f54c3d8ce6567c21c63beab0b03cf7983ea

Some generated files are not rendered by default. Learn more.

@@ -6,14 +6,15 @@
<meta property="og:image" content="{{ . | absURL }}" />
{{ end }}{{ end }}

{{- $iso8601 := "2006-01-02T15:04:05-07:00" -}}
{{- if .IsPage }}
{{- if not .PublishDate.IsZero }}<meta property="article:published_time" content="{{ .PublishDate.Format "2006-01-02T15:04:05-07:00" | safeHTMLAttr }}"/>
{{ else if not .Date.IsZero }}<meta property="article:published_time" content="{{ .Date.Format "2006-01-02T15:04:05-07:00" | safeHTMLAttr }}"/>
{{- if not .PublishDate.IsZero }}<meta property="article:published_time" {{ .PublishDate.Format $iso8601 | printf "content=%q" | safeHTMLAttr }} />
{{ else if not .Date.IsZero }}<meta property="article:published_time" {{ .Date.Format $iso8601 | printf "content=%q" | safeHTMLAttr }} />
{{ end }}
{{- if not .Lastmod.IsZero }}<meta property="article:modified_time" content="{{ .Lastmod.Format "2006-01-02T15:04:05-07:00" | safeHTMLAttr }}"/>{{ end }}
{{- if not .Lastmod.IsZero }}<meta property="article:modified_time" {{ .Lastmod.Format $iso8601 | printf "content=%q" | safeHTMLAttr }} />{{ end }}
{{- else }}
{{- if not .Date.IsZero }}
<meta property="og:updated_time" content="{{ .Date.Format "2006-01-02T15:04:05-07:00" | safeHTMLAttr }}"/>
<meta property="og:updated_time" {{ .Date.Format $iso8601 | printf "content=%q" | safeHTMLAttr }} />
{{- end }}
{{- end }}{{/* .IsPage */}}

@@ -10,7 +10,7 @@
{{ $secondClass := "s_video_simple" }}
<div class="{{ $secondClass }} {{ $class }}">
{{- with $item }}
<a href="{{ .provider_url }}{{ .video_id | safeHTMLAttr }}" target="_blank">
<a href="{{ .provider_url }}{{ .video_id }}" target="_blank">
{{ $thumb := .thumbnail_url }}
{{ $original := $thumb | replaceRE "(_.*\\.)" "." }}
<img src="{{ $thumb }}" srcset="{{ $thumb }} 1x, {{ $original }} 2x" alt="{{ .title }}">

0 comments on commit e22b3f5

Please sign in to comment.
You can’t perform that action at this time.