少于1分钟
将以下英文翻译为中文:
https://gohugo.io/functions/safeurl/
Declares the provided string as a safe URL or URL substring.
safeURL INPUT
safeURL
declares the provided string as a “safe” URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage()
from a trusted source should go in the page, but by default dynamic javascript:
URLs are filtered out since they are a frequently exploited injection vector.
Without safeURL
, only the URI schemes http:
, https:
and mailto:
are considered safe by Go templates. If any other URI schemes (e.g., irc:
and javascript:
) are detected, the whole URL will be replaced with #ZgotmplZ
. This is to “defang” any potential attack in the URL by rendering it useless.
The following examples use a site config.toml
with the following menu entry:
config.
=== “yaml”
``` yaml
menu:
main:
- name: 'IRC: #golang at freenode'
url: irc://irc.freenode.net/#golang
```
=== “toml”
``` toml
[menu]
[[menu.main]]
name = 'IRC: #golang at freenode'
url = 'irc://irc.freenode.net/#golang'
```
=== “json”
``` json
{
"menu": {
"main": [
{
"name": "IRC: #golang at freenode",
"url": "irc://irc.freenode.net/#golang"
}
]
}
}
```
The following is an example of a sidebar partial that may be used in conjunction with the preceding front matter example:
layouts/partials/bad-url-sidebar-menu.html
|
|
This partial would produce the following HTML output:
|
|
The odd output can be remedied by adding | safeURL
to our .URL
page variable:
layouts/partials/correct-url-sidebar-menu.html
|
|
With the .URL
page variable piped through safeURL
, we get the desired output:
|
|