From 31a8a33dda16a33f7c86d4af15a584041a0193d0 Mon Sep 17 00:00:00 2001 From: Anthony Fok Date: Mon, 19 Jan 2015 23:41:22 -0700 Subject: [PATCH] Add `safeUrl`; disable `safeHtmlAttr`; rename `safeCSS` to `safeCss` - Add `safeUrl` template function (Fixes #347) - Add TestSafeUrl() fashioned after @tatsushid great examples - Disable `safeHtmlAttr` pending further discussions on its other use cases because `safeUrl` is a cleaner solution to #347. (There are also `safeJs` and `safeJsStr` that we could implement if there are legitimate demands for them.) - Rename `safeCSS` to `safeCss` (to follow the convention of `safeHtml`) - Add/expand documentation on `safeHtml`, `safeCss` and `safeUrl` --- content/templates/functions.md | 90 +++++++++++++++++++++++++++++++++- 1 file changed, 88 insertions(+), 2 deletions(-) diff --git a/content/templates/functions.md b/content/templates/functions.md index e1499f82b..98785a53e 100644 --- a/content/templates/functions.md +++ b/content/templates/functions.md @@ -263,10 +263,96 @@ Takes a string and sanitizes it for usage in URLs, converts spaces to "-". e.g. `{{ . }}` ### safeHtml -Declares the provided string as "safe" so Go templates will not filter it. +Declares the provided string as a "safe" HTML document fragment +so Go html/template will not filter it. It should not be used +for HTML from a third-party, or HTML with unclosed tags or comments. -e.g. `{{ .Params.CopyrightHTML | safeHtml }}` +Example: Given a site-wide `config.toml` that contains this line: + copyright = "© 2015 Jane Doe. Some rights reserved." + +`{{ .Site.Copyright | safeHtml }}` would then output: + +> © 2015 Jane Doe. Some rights reserved. + +However, without the `safeHtml` function, html/template assumes +`.Site.Copyright` to be unsafe, escaping all HTML tags, +rendering the whole string as plain-text like this: + +
+

© 2015 Jane Doe. <a href="http://creativecommons.org/licenses/by/4.0/">Some rights reserved</a>.

+
+ + + +### safeCss +Declares the provided string as a known "safe" CSS string +so Go html/templates will not filter it. +"Safe" means CSS content that matches any of: + +1. The CSS3 stylesheet production, such as `p { color: purple }`. +2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`. +3. CSS3 declaration productions, such as `color: red; margin: 2px`. +4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`. + +Example: Given `style = "color: red;"` defined in the front matter of your `.md` file: + +* `

` ⇒ `

` (Good!) +* `

` ⇒ `

` (Bad!) + +Note: "ZgotmplZ" is a special value that indicates that unsafe content reached a +CSS or URL context. + +### safeUrl +Declares the provided string as a "safe" URL or URL substring (see [RFC 3986][]). +A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted +source should go in the page, but by default dynamic `javascript:` URLs are +filtered out since they are a frequently exploited injection vector. + +[RFC 3986]: http://tools.ietf.org/html/rfc3986 + +Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:` +are considered safe. All other URI schemes, e.g. `irc:` and +`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe +content indicator. + +Example: Given a site-wide `config.toml` that contains this menu entry: + + [[menu.main]] + name = "IRC: #golang at freenode" + url = "irc://irc.freenode.net/#golang" + +The following template: + + + +would produce `
  • IRC: #golang at freenode
    • ` +for the `irc://…` URL. + +To fix this, add ` | safeUrl` after `.Url` on the 3rd line, like this: + +
  • {{ .Name }}
    • + +With this change, we finally get `
  • IRC: #golang at freenode
    • ` +as intended. ### markdownify