Special characters in asset's `.Data.Integrity`

When using SRI (.Data.Integrity) on my main script, I happen to see special characters in it the integrity hash string: ++. (++).

Of course, if I slightly modify the content of main.js a new hash string is generated and the specials characters go away.

It may be ok to have such characters in the string, I’m merely wondering. If not,

  • here is the main.js file
  • here is the generated hash: sha256-JmfJw0f++opLmvXcch6UWeVSSb0sbQsdNS7Ral47s9k=
  • here is the html bit:
<script type="text/javascript" src="http://philibert.hugo/js/main.min.2667c9c347fefa8a4b9af5dc721e9459e55249bd2c6d0b1d352ed16a5e3bb3d9.js" integrity="sha256-JmfJw0f&#43;&#43;opLmvXcch6UWeVSSb0sbQsdNS7Ral47s9k=" crossorigin="anonymous"></script>

Do browers complain about the encoded string?

This value should possibly be of “HTML type”, so Go templates left it untouched (which you can do yourself by piping to safeHTMLAttr). But I also suspect the browsers are handling this without a glitch. I have deployed 100s of variants of this without any hickups.

No the browser does not seem to mind… So I don’t think I will.