hugo/docs/content/en/functions/safeURL.md

title	description	date	publishdate	lastmod	keywords	categories	menu	signature	workson	hugoversion	relatedfuncs	deprecated	aliases
safeURL	Declares the provided string as a safe URL or URL substring.	2017-02-01	2017-02-01	2017-02-01	strings urls	functions	docs parent functions	safeURL INPUT				false

safeURL declares the provided string as a "safe" URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector.

Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ. This is to "defang" any potential attack in the URL by rendering it useless.

The following examples use a site config.toml with the following menu entry:

{{< code file="config.toml" copy="false" >}} menu.main name = "IRC: #golang at freenode" url = "irc://irc.freenode.net/#golang" {{< /code >}}

The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:

{{< code file="layouts/partials/bad-url-sidebar-menu.html" copy="false" >}}

{{ range .Site.Menus.main }}
• {{ .Name }}
{{ end }}

{{< /code >}}

This partial would produce the following HTML output:

{{< output file="bad-url-sidebar-menu-output.html" >}}

• IRC: #golang at freenode

{{< /output >}}

The odd output can be remedied by adding | safeURL to our .URL page variable:

{{< code file="layouts/partials/correct-url-sidebar-menu.html" copy="false" >}}

• {{ .Name }}

{{< /code >}}

With the .URL page variable piped through safeURL, we get the desired output:

{{< output file="correct-url-sidebar-menu-output.html" >}}

• IRC: #golang at freenode

{{< /output >}}