Enable safeHTML by default


#1

I’m just curious if it there is a setting/configuration for hugo to enable safeHTML by default. That is, I don’t have to do this

{{ .Params.text | safeHTML }}

so I can just do this instead

{{ .Params.text }}

And I’ve always been told and have read that safeHTML is there to protect against code injection. I’m sure what that means since my thinking is we are the ones creating our own site to be generated. Should there be any malicious code that would be coming from us. Please enlighten me on this.

TIA


#2

No.

There is a need to keep current behavior exactly as it is.

Also you are not showing us the full context of your {{ .Params.text }}. Does it contain HTML? Where is it called?

Who said that where?

In Go Templates Parameters are considered unsafe by design but this always depends on the context.

For example: <p>{{ .Params.text}}</p> in a list template would work fine as is.
But <p class="{{ .Params.text }}"></p> may not, so you would need to pipe it with either safeHTML or safeHTMLAttr (usually it is the former).

There was a recent post here that will help you understand.


#3

The “safeness” of safeHTML may be misleading, if you are referring to sanitizing input. You should always sanitize user input over the web, for instance. But our pipe functions normally do something related to formatting, so everything works as expected; HTML docs are still docs, and single character can mess everything up.


#4

You can define your HTML output format with isPlainText = true. This will then use Go’s “plain text” template package.