mirror/hugo
1
0
Fork 0
mirror of https://github.com/gohugoio/hugo.git synced 2025-08-23 21:53:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
release-0.109.0
hugo/docs/content/en/functions/safeURL.md
Bjørn Erik Pedersen 9a215d6950 Merge commit '41bc6f702aa54200530efbf4267e5c823df3028d'
2022-12-20 11:04:41 +01:00

2.5 KiB
Raw Permalink Blame History

title, description, date, publishdate, lastmod, keywords, categories, menu, signature, workson, hugoversion, relatedfuncs, deprecated, aliases
title description date publishdate lastmod keywords categories menu signature workson hugoversion relatedfuncs deprecated aliases
safeURL Declares the provided string as a safe URL or URL substring. 2017-02-01 2017-02-01 2017-02-01
strings
urls
functions
docs
parent
functions
safeURL INPUT
false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .URL page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

{{< /output >}}