Sha256 question

I have this string:


But if I view my source, the browser renders it this way:

                                               ^ wot?

Any way to make the + symbol to show instead of +?? Tried anchorize (replaces the + with a - but it also replaces others) and urlize and safeHTML, none worked.

or the browser will read it OKA and I am on the clear?

I assume this is {{ .Data.Integrity }}? If so, what Hugo version?

The latest version.

I’m actually not using Data.Integrity, I was just using the CDN from jQuery CDN like so:

{{ $jquery_slim := "" }}
{{ $jquery_slim_integrity := "sha256-3edrmyuQ0w65f8gfBsqowzjJe2iM6n0nKciPUp8y+7E=" }}
<script src="{{ $jquery_full }}" integrity="{{ $jquery_full_integrity }}" crossorigin="anonymous"></script>

I copied the data integrity from the jQuery website, not sure if I could have just used Hugo’s Data.Integrity to make that one instead of Frankenstein my inelegant solution…


$jquery_full_integrity | safeHTMLAttr

ahhh the &#43; keeps showing, didn’t worked.

Have you tried:

$jquery_full_integrity | htmlUnescape

Yep, but did nothing ;(

Thats strange, as a simple test of:

{{ $jquery_slim_integrity := "sha256-3edrmyuQ0w65f8gfBsqowzjJe2iM6n0nKciPUp8y+7E=" }}
{{ $jquery_slim_integrity | htmlUnescape}}

produces: sha256-3edrmyuQ0w65f8gfBsqowzjJe2iM6n0nKciPUp8y+7E=

Strange indeed, I just copied your example and I still get the error. <meta charset=“utf-8”>, Hugo 0.53, firefox and chrome

I’m looking at the viewsource here, but if I look at the page yes, the + gets printed.

As far as I know, the + should be shown in the viewsource correctly? Doesn’t matter if it shows right on the rendered HTML page since it is the viewsource what matters?

Again, totally ignorant about this stuff.

Yeh, I did a more specific test, and viewed the source. I am now getting the same as you.

I can easily bypass this by doing:

{{ if eq jquery_integrity "full" }}
then I simply pass the string here. Else, the slim.

But I wanted to know if I broke Hugo.

You have to declare the entire attribute safe, not just the value:

<script src="{{ $jquery_full }}" {{ printf "integrity=%q" $jquery_full_integrity | safeHTMLAttr }} crossorigin="anonymous">

Technically, the src attribute could also be declared safe to avoid surprises later.

1 Like