Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: add tel: as safe URL protocol #655

Closed
DannyJJK opened this issue Mar 29, 2024 · 1 comment · Fixed by #657
Closed

refactor: add tel: as safe URL protocol #655

DannyJJK opened this issue Mar 29, 2024 · 1 comment · Fixed by #657
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed NeedsImplementation Needs implementation

Comments

@DannyJJK
Copy link

DannyJJK commented Mar 29, 2024

templ: v0.2.648

Currently trying to use this:
templ.URL("tel:" + phoneNumber)

results in:
about:invalid#TemplFailedSanitizationURL

I think this is because it only allows http, https and mailto, but I think tel should be added to this list. It's like mailto but for telephone numbers, so it will open up a phone application.

@a-h
Copy link
Owner

a-h commented Mar 30, 2024

templ follows the lead of Hugo here: https://gohugo.io/functions/safe/url/ which only allows those schemes. There was a similar issue in Hugo's repo that got closed. gohugoio/hugo#5721

However, Wordpress has a much richer set: https://developer.wordpress.org/reference/functions/wp_allowed_protocols/

While Google's SafeHTML only blocks javascript URLs: https://github.com/google/safehtml/blob/be23134998433fcf0135dda53593fc8f8bf4df7c/url.go#L123

I originally went with the most restrictive of the set to be safe, but after this further research, I'm happy to add tel, ftp and ftps.

I'd take a PR for that if you want to contribute.

The code is here:

templ/runtime.go

Lines 470 to 478 in dbbb53b

func URL(s string) SafeURL {
if i := strings.IndexRune(s, ':'); i >= 0 && !strings.ContainsRune(s[:i], '/') {
protocol := s[:i]
if !strings.EqualFold(protocol, "http") && !strings.EqualFold(protocol, "https") && !strings.EqualFold(protocol, "mailto") {
return FailedSanitizationURL
}
}
return SafeURL(s)
}

@a-h a-h changed the title Allow tel: link refactor: add tel: as safe URL protocol Mar 30, 2024
@a-h a-h added enhancement New feature or request help wanted Extra attention is needed good first issue Good for newcomers NeedsImplementation Needs implementation labels Mar 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed NeedsImplementation Needs implementation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants