我的主题中会使用
{{- $resource = $resource | fingerprint . -}}
{{- $integrity = $resource.Data.Integrity -}}
生成 integrity 属性,例如:integrity="sha256-MvGBfFwfZs5Zwaqmkg5B6ovA3H1sJAtPJUqRcXQ+nNA="
显然这个 sha256 中会携带分号 “;”,当我在配置 HTTP2 Server Push 时,这个分号会作为特殊符号影响到我的配置,请问有什么办法避免这个问题吗?
最后用的HTML符号是什么啊?
如果以下可试试:
{{- $resource = $resource | fingerprint . -}}
<p>{{- safeHTML $resource.Data.Integrity -}}</p>
不然可以试试:
{{- $resource = $resource | fingerprint . -}}
<p>{{- htmlUnscape $resource.Data.Integrity -}}</p>
启用 --minify 就可以了,不启用 --minify 时,integrity 的值会被 HTML 转义(其中 + 被转义为 +),启用后则不会。具体原因不知为何,如果你认为这是 bug,可以向 Hugo 提出,我不太了解这方面。
hugo server --minify [...]
或者生产模式:
hugo --minify [...]
非常感谢回复,不过我尝试后发现生成的 sha256 依旧有分号。
最终我按照楼下的方法,是用 --minify 压缩 html 文件,居然可以生效了。
感谢你的帮忙!
你好,我按照你的方法,发现成功解决了这个问题,十分感谢!!!
当我通过 --minify 将 html 文件压缩后,生成的 html 标签会将 <…/> 转为 <…>,这回导致一些陈旧的搜索引擎无法识别,请问 --minify 有什么办法可以保留 </> 标签中的 “/” 吗?
谢谢!
可以调整下 Minify 的配置,但我瞄了一眼,好像没有这个选项,而且 HTML5 并不要求 void 元素带 / 符号结束。这虽然是个问题,不过应该可以通过其他方式解决,你这应该用于某些搜索引擎的验证 meta 代码吧?如果是,可以换成文件验证。
好的,谢谢!!!
如果这是原因的话那是HTML内容必须是安全的符号而转义 (encoding - The purpose of escaping html entities - Information Security Stack Exchange )了。这样的话,那:
{{- $resource = $resource | fingerprint . -}}
{{- warnf "%v\n" (htmlUnescape $resource.Data.Integrity) -}}
因该可以回复HTML安全转义前原来的数据。--minify是最后一步才运用(主要目的是把HTML内容给减肥)。
那不是bug。
其实你可以试一试的,两者表现不一致。
PS:需要看页面的源代码。
// assets/main.js
console.log('Hello world')
{{ with resources.Get "main.js" }}
{{ $resource := . | fingerprint }}
{{ $integrity := $resource.Data.Integrity }}
{{ $integrity }}
{{ $integrity | htmlUnescape }}
{{ $integrity | htmlUnescape | safeHTML }}
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity }}"></script>
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity | safeHTML }}"></script>
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity | safeHTMLAttr }}"></script>
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity | htmlUnescape }}"></script>
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity | htmlUnescape | safeHTML }}"></script>
<script src="{{ $resource.Permalink }}" integrity="{{ $integrity | htmlUnescape | safeHTMLAttr }}"></script>
{{ end }}
结果:
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
--minify
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA=
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
<script src=http://localhost:1313/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>
等一下,有点怪。
@bep, @jmooring, is the above code expected to be this way? As in, the module designer has to go through multiple partial functions just to obtain the pure SRI value (worse, 1 more extra step (strings.TrimPrefix) to obtain the pure shasum value)?
Basically, one has to:
{{ $resource := . | fingerprint -}}
{{ $integrity := $resource.Data.Integrity -}}
{{- $sri := string ($integrity | htmlUnescape | safeHTML) -}}
{{- $shasum := strings.TrimPrefix "sha256-" $sri -}}
The above discussion stated that --minify is the only way that is providing a much stable outcome and both pipelined functions and minify paths are showing inconsistencies.
Another weird pattern is that when the same algorithm is deployed across all the <script> tags, they are all presenting some weird values.
This is correct. All output must be HTMLEscape for safety reason. In that case, is --minify providing an unsafe HTML SRI value?
Note that this ticket is marked to be closed within 2 days due to system.
@razon, 我制造不出您的成果(如图)。但我需要上Sha512才能出产HTMLEscape的符号。这是运用您的代码。
为有的差别就是我在Linux和运用hugo v0.111.2-4164f8fef9d71f50ef3962897e319ab6219a1dad。有差错吗?
Translation to English:
I cannot re-produce your reported error as stated (Please refer to screenshots). Moreover, I have to upgrade to SHA-512 in order to produce those HTML escapable symbols. I’m only using your provided codes.
The only differences are: I’m using Linux and hugo v0.111.2-4164f8fef9d71f50ef3962897e319ab6219a1dad. What are the differences on your side?
你的截图是源代码吗(右键 → 查看网页源代码)?还是 Chrome 的开发工具的控制台,控制台显示和源代码不一样的。
这是view-source (查看代码), 不是Chrome的Inspector (f12 控制台)。目前您的代码证明不需要任何Partial功能可以直接处理SRI。
Translate to English:
This is view-source (for checking source code), not the Chrome’s F12 Inspector Console. At the moment, your source codes only proven there is no need for other partial processing functions and can render the SRI directly.
这个是要显示目前所有的JS可以运用。
Translate to English:
This is to show all the JS are working.
我试过了,即使 SHA512 也一样的,按理说,后面那串是 base64-encoded 字符串,应该不需要转义。
或者你看看配置是否开启了 minify,又或者试试我的版本:
$ hugo version
hugo v0.115.4-dc9524521270f81d1c038ebbb200f0cfa3427cc5+extended linux/amd64 BuildDate=2023-07-20T06:49:57Z VendorInfo=gohugoio
两者都一样。看来您哪里要忙了。XD
hugo server --noBuildLock \
--disableFastRender \
--port 8080 \
--renderToDisk \
--gc &
起动命令有分别吗?
没有minify:
有Minify:
(Translate to English)
Both are the same, looks like you might need to get busy. (First picture without minify).
hugo server --noBuildLock \
--disableFastRender \
--port 8080 \
--renderToDisk \
--gc &
Any differences with the server command?
I’ve been pinged, but I am not weighing in without a clear description of the problem.
Sorry on my part. When I attempting to root cause the problem and clarify with both of you, apparently, I couldn’t reproduce the issue they are having.
It seems that the inconsistency issue is not related to SRI rendering but something else. We’re working on root causing the problem.
So far, I can use the SRI directly without needing any additional functions be it page rendering or actual value insertion. OP somehow got his/her generated SRI that is always HTML Escaped from the start which is undesirable.
Are you referring to the plus sign (+) encoded as + ?
Yeap. I have moved up to OP’s Hugo version and used his/her --minify workaround. The inconsistencies are still there (I don’t produce the HTML Escaped one; OP keep producing HTML Escaped version). Both of us are using the same Hugo version and test codes for now:
$ hugo version
hugo v0.115.4-dc9524521270f81d1c038ebbb200f0cfa3427cc5+extended linux/amd64 BuildDate=2023-07-20T06:49:57Z VendorInfo=gohugoio
UPDATE (from below):
Same server command as well.
