mirror/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2025-08-20 21:31:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '8b9803425e63e1b1801f8d5d676e96368d706722'

Browse Source
This commit is contained in:
Bjørn Erik Pedersen
2024-06-21 09:41:24 +02:00
parent d5542ed286 8b9803425e
commit af0cb57aaf
475 changed files with 7408 additions and 4720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
docs/content/en/functions/safe/URL.md
View File

@@ -13,58 +13,56 @@ action:
- functions/safe/JSStr
returnType: template.URL
signatures: [safe.URL INPUT]
toc: true
aliases: [/functions/safeurl]
---
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
## Introduction
Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.
{{% include "functions/_common/go-html-template-package.md" %}}
The following examples use a [site `hugo.toml`][configuration] with the following [menu entry][menus]:
## Usage
{{< code-toggle file=hugo >}}
[[menus.main]]
name = "IRC: #golang at freenode"
url = "irc://irc.freenode.net/#golang"
{{< /code-toggle >}}
Use the `safe.URL` function to encapsulate a known safe URL or URL substring. Schemes other than the following are considered unsafe:
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
- `http:`
- `https:`
- `mailto:`
{{< code file=layouts/partials/bad-url-sidebar-menu.html >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
{{ range .Site.Menus.main }}
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
{{ end }}
</ul>
{{< /code >}}
Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
This partial would produce the following HTML output:
See the [Go documentation] for details.
```html
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
[Go documentation]: https://pkg.go.dev/html/template#URL
## Example
Without a safe declaration:
```go-html-template
{{ $href := "irc://irc.freenode.net/#golang" }}
<a href="{{ $href }}">IRC</a>
```
The odd output can be remedied by adding ` | safeURL` to our `.URL` page variable:
{{< code file=layouts/partials/correct-url-sidebar-menu.html >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
</ul>
{{< /code >}}
With the `.URL` page variable piped through `safeURL`, we get the desired output:
Hugo renders the above to:
```html
<ul class="sidebar-menu">
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>
<a href="#ZgotmplZ">IRC</a>
```
[configuration]: /getting-started/configuration/
[menus]: /content-management/menus/
[RFC 3986]: https://tools.ietf.org/html/rfc3986
{{% note %}}
`ZgotmplZ` is a special value that indicates that unsafe content reached a CSS or URL context at runtime.
{{% /note %}}
To declare the string as safe:
```go-html-template
{{ $href := "irc://irc.freenode.net/#golang" }}
<a href="{{ $href | safeURL }}">IRC</a>
```
Hugo renders the above to:
```html
<a href="irc://irc.freenode.net/#golang">IRC</a>
```