summaryrefslogtreecommitdiffstats
path: root/docs/content/en/functions/safeURL.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/en/functions/safeURL.md')
-rw-r--r--docs/content/en/functions/safeURL.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/content/en/functions/safeURL.md b/docs/content/en/functions/safeURL.md
index 959076246..285542ea9 100644
--- a/docs/content/en/functions/safeURL.md
+++ b/docs/content/en/functions/safeURL.md
@@ -17,7 +17,7 @@ deprecated: false
aliases: []
---
-`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
+`safeURL` declares the provided string as a "safe" URL or URL substring (see [RFC 3986]). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.
Without `safeURL`, only the URI schemes `http:`, `https:` and `mailto:` are considered safe by Go templates. If any other URI schemes (e.g., `irc:` and `javascript:`) are detected, the whole URL will be replaced with `#ZgotmplZ`. This is to "defang" any potential attack in the URL by rendering it useless.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 10:18:13 +0000