mirror of https://github.com/gohugoio/hugo
1.6 KiB
1.6 KiB
title | description | categories | keywords | action | toc | aliases | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
safe.CSS | Declares the given string as a safe CSS string. |
|
true |
|
Introduction
{{% include "functions/_common/go-html-template-package.md" %}}
Usage
Use the safe.CSS
function to encapsulate known safe content that matches any of:
- The CSS3 stylesheet production, such as
p { color: purple }
. - The CSS3 rule production, such as
a[href=~"https:"].foo#bar
. - CSS3 declaration productions, such as
color: red; margin: 2px
. - The CSS3 value production, such as
rgba(0, 0, 255, 127)
.
Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
See the Go documentation for details.
Example
Without a safe declaration:
{{ $style := "color: red;" }}
<p style="{{ $style }}">foo</p>
Hugo renders the above to:
<p style="ZgotmplZ">foo</p>
{{% note %}}
ZgotmplZ
is a special value that indicates that unsafe content reached a CSS or URL context at runtime.
{{% /note %}}
To declare the string as safe:
{{ $style := "color: red;" }}
<p style="{{ $style | safeCSS }}">foo</p>
Hugo renders the above to:
<p style="color: red;">foo</p>