Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
72 lines (59 sloc) 2.58 KB
title description godocref date publishdate lastmod keywords categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL
Declares the provided string as a safe URL or URL substring.
2017-02-01
2017-02-01
2017-02-01
strings
urls
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} [[menu.main]] name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .URL page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

  • IRC: #golang at freenode
{{< /output >}}
You can’t perform that action at this time.