[Docs] Incorporate some great ideas by @mohae into the `safeUrl` docs

author Anthony Fok <foka@debian.org>

Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)

committer Anthony Fok <foka@debian.org>

Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)
author Anthony Fok <foka@debian.org>
Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)
committer Anthony Fok <foka@debian.org>
Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)
diff --git a/docs/content/templates/functions.md b/docs/content/templates/functions.md

index 98785a53e26adabb3d5f4db4c0b943dd4c7d613a..89c866951ab92dc5137037855069747e06d3cf46 100644 (file)
--- a/docs/content/templates/functions.md
+++ b/docs/content/templates/functions.md
@@ -326,9 +326,10 @@ filtered out since they are a frequently exploited injection vector.
  [RFC 3986]: http://tools.ietf.org/html/rfc3986
  
  Without `safeUrl`, only the URI schemes `http:`, `https:` and `mailto:`
-are considered safe.  All other URI schemes, e.g.&nbsp;`irc:` and
-`javascript:`, get filtered and replaced with the `ZgotmplZ` unsafe
-content indicator.
+are considered safe by Go.  If any other URI schemes, e.g.&nbsp;`irc:` and
+`javascript:`, are detected, the whole URL would be replaced with
+`#ZgotmplZ`.  This is to "defang" any potential attack in the URL,
+rendering it useless.
  
  Example: Given a site-wide `config.toml` that contains this menu entry:
author	Anthony Fok <foka@debian.org>
	Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)
committer	Anthony Fok <foka@debian.org>
	Tue, 20 Jan 2015 07:24:47 +0000 (00:24 -0700)