safe.JS

safe.JS INPUT

template.JS

safeJS

Introduction

Hugo uses Go’s text/template and html/template packages.

The text/template package implements data-driven templates for generating textual output, while the html/template package implements data-driven templates for generating HTML output safe against code injection.

By default, Hugo uses the html/template package when rendering HTML files.

To generate HTML output that is safe against code injection, the html/template package escapes strings in certain contexts.

Usage

Use the safe.JS function to encapsulate a known safe EcmaScript5 Expression.

Template authors are responsible for ensuring that typed expressions do not break the intended precedence and that there is no statement/expression ambiguity as when passing an expression like { foo: bar() }\n['foo'](), which is both a valid Expression and a valid Program with a very different meaning.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

Using the safe.JS function to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with the transform.Unmarshal function and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.

See the Go documentation for details.

Example

Without a safe declaration:

{{ $js := "x + y" }}
<script>const a = {{ $js }}</script>

Hugo renders the above to:

<script>const a = "x + y"</script>

To declare the string as safe:

{{ $js := "x + y" }}
<script>const a = {{ $js | safeJS }}</script>

Hugo renders the above to:

<script>const a = x + y</script>