diff options
Diffstat (limited to 'docs/content/en/functions/safeHTML.md')
| -rw-r--r-- | docs/content/en/functions/safeHTML.md | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/docs/content/en/functions/safeHTML.md b/docs/content/en/functions/safeHTML.md new file mode 100644 index 000000000..3d5197a4f --- /dev/null +++ b/docs/content/en/functions/safeHTML.md @@ -0,0 +1,40 @@ +--- +title: safeHTML +# linktitle: +description: Declares a provided string as a "safe" HTML document to avoid escaping by Go templates. +date: 2017-02-01 +publishdate: 2017-02-01 +lastmod: 2017-02-01 +categories: [functions] +menu: + docs: + parent: "functions" +keywords: [strings] +signature: ["safeHTML INPUT"] +workson: [] +hugoversion: +relatedfuncs: [] +deprecated: false +--- + +It should not be used for HTML from a third-party, or HTML with unclosed tags or comments. + +Given a site-wide [`config.toml`][config] with the following `copyright` value: + +{{< code-toggle file="config" >}} +copyright = "© 2015 Jane Doe. <a href=\"https://creativecommons.org/licenses/by/4.0/\">Some rights reserved</a>." +{{< /code-toggle >}} + +`{{ .Site.Copyright | safeHTML }}` in a template would then output: + +``` +© 2015 Jane Doe. <a href="https://creativecommons.org/licenses/by/4.0/">Some rights reserved</a>. +``` + +However, without the `safeHTML` function, html/template assumes `.Site.Copyright` to be unsafe and therefore escapes all HTML tags and renders the whole string as plain text: + +``` +<p>© 2015 Jane Doe. <a href="https://creativecommons.org/licenses by/4.0/">Some rights reserved</a>.</p> +``` + +[config]: /getting-started/configuration/ |