Single quotes escaped with " by jsonify

support
1

Dear Everyone,
I am working on a module for Content-Security-Policy generation for Cloudflare. I’ve come across the following case:

  1. Create a dictionary with the report-to directive values,
  2. Use the jsonify function to return a string as JSON,
  3. Use this value in a string that is used in resources.FromString method.

The partial does work and creates “_headers” file at the root of the “publish” folder. The problem is the following:
JSON keys are not wrapped in either single or double quotes but escaped by HTML entities.

report-to {"endpoints":,"include_subdomains":false,"max-age":1800};

I tried to pipe the string through safeHTML or safeJS functions but neither helped.

Any hints will be very much appreciated.
All the best,
Pawel

2

Can you please provide a complete example?

I’m sure you’re doing something different, but this:

{{ $m := dict
  "group" "endpoint-1"
  "max_age" 10886400
  "endpoints" (slice
    (dict "url" "https://example.com/reports")
    (dict "url" "https://backup.com/reports" )
  )
}}
{{ $s := printf "Report-To: %s" (jsonify $m) }}
{{ $r := resources.FromString "_headers" $s }}
{{ $r.Publish }}

produces this public/_headers file:

Report-To: {"endpoints":[{"url":"https://example.com/reports"},{"url":"https://backup.com/reports"}],"group":"endpoint-1","max_age":10886400}
3

Try the noHTMLEscape option:

4

Dear Joe and Bjorn,
I’ve studied template functions looking for those related to escaping/sanitizing input.
Using: htmlUnescape helped to get correct output. Besides the JSON value I gave as an example in my original post the hash strings for style-src and script-src were escaped in the same way.

I am wondering now if I should use functions like safeURL or safeHTMLAttr to further sanitize and normalize the header value. Hugo started returning regular strings from the .Data.Integrity for resources and the delimit function, which I am using in partials.

The module is getting in a rather usable shape. Since it touches the security aspect of a site, I want to use it on my own website first for a while to watch for possible errors.
It has one feature that is very specific to how I inline CSS in my main theme, which I need to make generic. All in all, it looks like it can be released into the wild with some documentations on how to generate the configuration files. The first use case is my own, which is Cloudflare pages, but it is very easy to be adapted to any other configuration format.

Thank you for giving me directions.
Pawel