safe.URL
Syntax
Returns
Alias
Introduction
Hugo uses Go’s text/template and html/template packages.
The text/template package implements data-driven templates for generating textual output, while the html/template package implements data-driven templates for generating HTML output safe against code injection.
By default, Hugo uses the html/template package when rendering HTML files.
To generate HTML output that is safe against code injection, the html/template package escapes strings in certain contexts.
Usage
Use the safe.URL function to encapsulate a known safe URL or URL substring. Schemes other than the following are considered unsafe:
http:https:mailto:
Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
See the Go documentation for details.
Example
Without a safe declaration:
{{ $href := "irc://irc.freenode.net/#golang" }}
<a href="{{ $href }}">IRC</a>
Hugo renders the above to:
<a href="#ZgotmplZ">IRC</a>
ZgotmplZ is a special value that indicates that unsafe content reached a CSS or URL context at runtime.
To declare the string as safe:
{{ $href := "irc://irc.freenode.net/#golang" }}
<a href="{{ $href | safeURL }}">IRC</a>
Hugo renders the above to:
<a href="irc://irc.freenode.net/#golang">IRC</a>