mirror/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2025-08-22 21:42:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit 'f96384a3b596f9bc0a3a035970b09b2c601f0ccb'

Browse Source
This commit is contained in:
Bjørn Erik Pedersen
2023-05-22 16:47:07 +02:00
parent 4cac5f5e30 f96384a3b5
commit b95e156940
341 changed files with 3107 additions and 4238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/content/en/functions/safeURL.md
View File

@@ -1,20 +1,13 @@
---
title: safeURL
description: Declares the provided string as a safe URL or URL substring.
date: 2017-02-01
publishdate: 2017-02-01
lastmod: 2017-02-01
keywords: [strings,urls]
categories: [functions]
menu:
docs:
parent: "functions"
parent: functions
signature: ["safeURL INPUT"]
workson: []
hugoversion:
relatedfuncs: []
deprecated: false
aliases: []
---
`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
@@ -23,35 +16,35 @@ Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are cons
The following examples use a [site `config.toml`][configuration] with the following [menu entry][menus]:
{{< code file="config.toml" copy="false" >}}
{{< code-toggle file="config" copy=false >}}
[[menu.main]]
name = "IRC: #golang at freenode"
url = "irc://irc.freenode.net/#golang"
{{< /code >}}
name = "IRC: #golang at freenode"
url = "irc://irc.freenode.net/#golang"
{{< /code-toggle >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy=false >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
{{ range .Site.Menus.main }}
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
{{ end }}
</ul>
{{< /code >}}
This partial would produce the following HTML output:
{{< output file="bad-url-sidebar-menu-output.html" >}}
```html
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}
```
The odd output can be remedied by adding ` | safeURL` to our `.URL` page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy=false >}}
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="{{ .URL | safeURL }}">{{ .Name }}</a></li>
@@ -60,11 +53,11 @@ The odd output can be remedied by adding ` | safeURL` to our `.URL` page variabl
With the `.URL` page variable piped through `safeURL`, we get the desired output:
{{< output file="correct-url-sidebar-menu-output.html" >}}
```html
<ul class="sidebar-menu">
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>
{{< /output >}}
```
[configuration]: /getting-started/configuration/
[menus]: /content-management/menus/