-
-
Notifications
You must be signed in to change notification settings - Fork 7.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delimit function returns template.HTML, not string #10876
Comments
Correct me if I'm wrong, but from the standard library:
HTML encapsulates a known safe HTML document fragment. It should not be used for HTML from a third-party, or HTML with unclosed tags or comments. The outputs of a sound HTML sanitizer and a template escaped by this package are fine for use with HTML. Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output. To summarize, template.HTML returns a santiized html string. |
Right. This could easily be resolved by correcting the documentation, instead of changing the implementation. Although I seem to recall template.HTML causing a problem when passing it to a func that expected a string. I forget the details. |
The truncate function is the only string function to return template.HTML instead of a string. And it kind of makes sense given how it is typically used. I've run across one case where this was a surprise: https://discourse.gohugo.io/t/image-text-parameters/43118 If we changed delimit to return a string it could break sites:
I suspect that is an uncommon example, but still... There's documentation in the works, based on source, that specifies type for both args and result. |
So, That said, I think we should fix this. Theres obvius cases where we would want to keep the |
I have seen this in the wild, but I can't remember where:
If we return a The construct above may have been used because this wasn't as obvious:
|
I just found an example of this usage in the documentation for the |
OK, I have thought about this, and we should fix this, and I don't know how to fix it without breaking something, but there's an argument that it will most likely fix more thing than it breaks. I think we could also argue that this is a also a security concern. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
https://gohugo.io/functions/delimit/:
This:
prints this:
What version of Hugo are you using (
hugo version
)?Does this issue reproduce with the latest release?
Yes
The text was updated successfully, but these errors were encountered: