Special characters in asset's `.Data.Integrity`

regis · August 20, 2018, 7:35pm

When using SRI (.Data.Integrity) on my main script, I happen to see special characters in it the integrity hash string: ++. (++).

Of course, if I slightly modify the content of main.js a new hash string is generated and the specials characters go away.

It may be ok to have such characters in the string, I’m merely wondering. If not,

here is the main.js file
here is the generated hash: sha256-JmfJw0f&#43;&#43;opLmvXcch6UWeVSSb0sbQsdNS7Ral47s9k=
here is the html bit:

<script type="text/javascript" src="http://philibert.hugo/js/main.min.2667c9c347fefa8a4b9af5dc721e9459e55249bd2c6d0b1d352ed16a5e3bb3d9.js" integrity="sha256-JmfJw0f&#43;&#43;opLmvXcch6UWeVSSb0sbQsdNS7Ral47s9k=" crossorigin="anonymous"></script>

bep · August 20, 2018, 8:05pm

Do browers complain about the encoded string?

This value should possibly be of “HTML type”, so Go templates left it untouched (which you can do yourself by piping to safeHTMLAttr). But I also suspect the browsers are handling this without a glitch. I have deployed 100s of variants of this without any hickups.

regis · August 20, 2018, 8:38pm

No the browser does not seem to mind… So I don’t think I will.

Topic		Replies	Views
Sha256 question support	11	558	February 2, 2019
safeJS, safeHTML won't work when tag is inside quotes support	1	334	September 13, 2019
Problems with encoding special characters in json+ld ("invalid escape sequence") support	17	13295	July 17, 2019
Backslash added to my JSON Structured Data support	5	1715	August 12, 2023
Custom Output escaping characters as HTML entities support	3	482	December 14, 2021

Special characters in asset's `.Data.Integrity`

Related Topics