mirror/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2025-08-22 21:42:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '41bc6f702aa54200530efbf4267e5c823df3028d'

Browse Source
This commit is contained in:
Bjørn Erik Pedersen
2022-12-20 11:04:41 +01:00
parent eda1e720cd 41bc6f702a
commit 9a215d6950
71 changed files with 292 additions and 256 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/content/en/functions/safeURL.md
View File

@@ -17,7 +17,7 @@ deprecated: false
aliases: []
---
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.