ref: 2342655fde6ad4774492f3da5d3b53a70fabdad1
parent: 724cc0ddff3427a37b1fa4367880fce23bb4f1f8
author: Anthony Fok <[email protected]>
date: Mon Jan 19 19:24:47 EST 2015
[Docs] Incorporate some great ideas by @mohae into the `safeUrl` docs E.g. how `#ZgotomlZ` is used to "defang" the URL
--- a/docs/content/templates/functions.md
+++ b/docs/content/templates/functions.md
@@ -326,9 +326,10 @@
[RFC 3986]: http://tools.ietf.org/html/rfc3986
Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:`
-are considered safe. All other URI schemes, e.g. `irc:` and
-`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe
-content indicator.
+are considered safe by Go. If any other URI schemes, e.g. `irc:` and
+`javascript:`, are detected, the whole URL would be replaced with
+`#ZgotmplZ`. This is to "defang" any potential attack in the URL,
+rendering it useless.
Example: Given a site-wide `config.toml` that contains this menu entry: