2.3 KiB
title, description, keywords, categories, menu, signature, relatedfuncs
| title | description | keywords | categories | menu | signature | relatedfuncs | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| safeURL | Declares the provided string as a safe URL or URL substring. |
|
|
|
|
safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.
Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.
The following examples use a site hugo.toml with the following menu entry:
{{< code-toggle file="hugo" copy=false >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code-toggle >}}
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy=false >}}
-
{{ range .Site.Menus.main }}
- {{ .Name }} {{ end }}
This partial would produce the following HTML output:
<!-- This unordered list may be part of a sidebar menu -->
<ul>
<li><a href="#ZgotmplZ">IRC: #golang at freenode</a></li>
</ul>
The odd output can be remedied by adding | safeURL to our .URL page variable:
{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy=false >}}
{{< /code >}}With the .URL page variable piped through safeURL, we get the desired output:
<ul class="sidebar-menu">
<li><a href="irc://irc.freenode.net/#golang">IRC: #golang at freenode</a></li>
</ul>