https://v0-122-0--gohugoio.netlify.app/functions/safe/Recent content in Safe functions on HugoHugo -- gohugo.ioenhttps://v0-122-0--gohugoio.netlify.app/functions/safe/css/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/css/In this context, safe means CSS content that matches any of the following: The CSS3 stylesheet production, such as p { color: purple }. The CSS3 rule production, such as a[href=~"https:"].foo#bar. CSS3 declaration productions, such as color: red; margin: 2px. The CSS3 value production, such as rgba(0, 0, 255, 127). Example: Given style = "color: red;" defined in the front matter of your .md file: <p style="{{ .Params.style | safeCSS }}">…</p> → <p style="color: red;">…</p> <p style="{{ .https://v0-122-0--gohugoio.netlify.app/functions/safe/html/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/html/It should not be used for HTML from a third-party, or HTML with unclosed tags or comments. Given a site-wide hugo.toml with the following copyright value: hugo. yaml   toml   json   copyright: © 2015 Jane Doe. <a href="https://creativecommons.org/licenses/by/4.0/">Some rights reserved</a>. copyright = '© 2015 Jane Doe. <a href="https://creativecommons.org/licenses/by/4.0/">Some rights reserved</a>.' { "copyright": "© 2015 Jane Doe. \u003ca href=\"https://creativecommons.org/licenses/by/4.0/\"\u003eSome rights reserved\u003c/a\u003e." } {{ .Site.Copyright | safeHTML }} in a template would then output:https://v0-122-0--gohugoio.netlify.app/functions/safe/htmlattr/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/htmlattr/Given a site configuration that contains this menu entry: hugo. yaml   toml   json   menus: main: - name: IRC url: irc://irc.freenode.net/#golang [menus] [[menus.main]] name = 'IRC' url = 'irc://irc.freenode.net/#golang' { "menus": { "main": [ { "name": "IRC", "url": "irc://irc.freenode.net/#golang" } ] } } Attempting to use the url value directly in an attribute: {{ range site.Menus.main }} <a href="{{ .URL }}">{{ .Name }}</a> {{ end }} Will produce:https://v0-122-0--gohugoio.netlify.app/functions/safe/js/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/js/In this context, safe means the string encapsulates a known safe EcmaScript5 Expression (e.g., (x + y * z())). Template authors are responsible for ensuring that typed expressions do not break the intended precedence and that there is no statement/expression ambiguity as when passing an expression like { foo:bar() }\n['foo'](), which is both a valid expression and a valid program with a very different meaning. Example: Given hash = "619c16f" defined in the front matter of your .https://v0-122-0--gohugoio.netlify.app/functions/safe/jsstr/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/jsstr/Encapsulates a sequence of characters meant to be embedded between quotes in a JavaScript expression. Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output. Without declaring a variable to be a safe JavaScript string: {{ $title := "Lilo & Stitch" }} <script> const a = "Title: " + {{ $title }}; </script> Rendered:https://v0-122-0--gohugoio.netlify.app/functions/safe/url/Mon, 01 Jan 0001 00:00:00 +0000https://v0-122-0--gohugoio.netlify.app/functions/safe/url/safeURL declares the provided string as a “safe” URL or URL substring (see RFC 3986). A URL like javascript:checkThatFormNotEditedBeforeLeavingPage() from a trusted source should go in the page, but by default dynamic javascript: URLs are filtered out since they are a frequently exploited injection vector. Without safeURL, only the URI schemes http:, https: and mailto: are considered safe by Go templates. If any other URI schemes (e.g., irc: and javascript:) are detected, the whole URL will be replaced with #ZgotmplZ.