diff options
Diffstat (limited to 'docs/content/en/functions/safeURL.md')
-rw-r--r-- | docs/content/en/functions/safeURL.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/content/en/functions/safeURL.md b/docs/content/en/functions/safeURL.md index 959076246..285542ea9 100644 --- a/docs/content/en/functions/safeURL.md +++ b/docs/content/en/functions/safeURL.md @@ -17,7 +17,7 @@ deprecated: false aliases: [] --- -`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector. +`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector. Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless. |