diff options
author | Anthony Fok <foka@debian.org> | 2015-01-20 10:24:47 +0300 |
---|---|---|
committer | Anthony Fok <foka@debian.org> | 2015-01-20 10:24:47 +0300 |
commit | 2342655fde6ad4774492f3da5d3b53a70fabdad1 (patch) | |
tree | f325baa51e7603d8e7d09b5051a7437f49f5da73 /docs | |
parent | 724cc0ddff3427a37b1fa4367880fce23bb4f1f8 (diff) |
[Docs] Incorporate some great ideas by @mohae into the `safeUrl` docs
E.g. how `#ZgotomlZ` is used to "defang" the URL
Diffstat (limited to 'docs')
-rw-r--r-- | docs/content/templates/functions.md | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/docs/content/templates/functions.md b/docs/content/templates/functions.md index 98785a53e..89c866951 100644 --- a/docs/content/templates/functions.md +++ b/docs/content/templates/functions.md @@ -326,9 +326,10 @@ filtered out since they are a frequently exploited injection vector. [RFC 3986]: http://tools.ietf.org/html/rfc3986 Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:` -are considered safe. All other URI schemes, e.g. `irc:` and -`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe -content indicator. +are considered safe by Go. If any other URI schemes, e.g. `irc:` and +`javascript:`, are detected, the whole URL would be replaced with +`#ZgotmplZ`. This is to "defang" any potential attack in the URL, +rendering it useless. Example: Given a site-wide `config.toml` that contains this menu entry: |