Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use safeHTMLAttr instead of safeHTML for HTML attributes. #5246

Merged
merged 1 commit into from
Sep 21, 2018
Merged

Use safeHTMLAttr instead of safeHTML for HTML attributes. #5246

merged 1 commit into from
Sep 21, 2018

Conversation

FelicianoTech
Copy link
Contributor

safeHTML should be used when encapsulating entire snippets of HTML including full HTML tags.

For HTML attribute values, we use safeHTMLAttr.

@FelicianoTech FelicianoTech mentioned this pull request Sep 21, 2018
Closed
@bep bep merged commit 4f9c109 into gohugoio:master Sep 21, 2018
@FelicianoTech FelicianoTech deleted the fix-og-time-escaper branch March 3, 2019 02:11
rhcarvalho added a commit to rhcarvalho/hugo that referenced this pull request Apr 22, 2019
@rhcarvalho
tpl: Fix internal templates usage of safeHTMLAttr
2d604a7 
The `safeHTMLAttr` function operates on a full attribute definition, not
just within the attribute value.

Docs: https://gohugo.io/functions/safehtmlattr/

For `opengraph.html`, run the whole `content` HTML attribute through
`safeHTMLAttr`. That will preserve `+` signs in formatted dates.

For `vimeo_simple.html`, `safeHTMLAttr` was in the context of an
attribute value, thus having no effect. In this case we could replace it
with `safeURL`, but since the code is coming from an API it is safer to
just let Go's template engine sanitize the value as it already does with
`provider_url`.

Fixes gohugoio#5236 (no need to change Go upstream)
Related to gohugoio#5246
@rhcarvalho rhcarvalho mentioned this pull request Apr 22, 2019
Merged
bep pushed a commit that referenced this pull request May 17, 2019
@rhcarvalho @bep
tpl: Fix internal templates usage of safeHTMLAttr
e22b3f5 
The `safeHTMLAttr` function operates on a full attribute definition, not
just within the attribute value.

Docs: https://gohugo.io/functions/safehtmlattr/

For `opengraph.html`, run the whole `content` HTML attribute through
`safeHTMLAttr`. That will preserve `+` signs in formatted dates.

For `vimeo_simple.html`, `safeHTMLAttr` was in the context of an
attribute value, thus having no effect. In this case we could replace it
with `safeURL`, but since the code is coming from an API it is safer to
just let Go's template engine sanitize the value as it already does with
`provider_url`.

Fixes #5236 (no need to change Go upstream)
Related to #5246
@github-actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@FelicianoTech @bep