Closure disable URL substitution with autoescape=strict

459 Views Asked by arcyqwerty At 21 October 2024 at 01:13

I am rendering a soy template using Closure for a chrome extension and am having trouble inserting chrome-extension://* links since they are being filtered by soy.$$filterNormalizeUri

While normally it would be undesirable to allow chrome-extension://* links, it makes sense within a chrome extension.

Is there a way to whitelist the protocol or allow a particular case of unfiltered URL substitution (perhaps using soy.$$normalizeUri instead of soy.$$filterNormalizeUri)? The input is not user-defined and should be safe for consumption.

Example:

{template .t}
  {foreach $src in $list}
    <link rel="stylesheet" href="{$src}" />
  {/foreach}
{/template}

Where $list is a generated list of stylesheet paths beginning with chrome-extension://*

The error returned is Uncaught AssertionError: Failure: Bad valuechrome-extension://...for |filterNormalizeUri

Info about escaping: https://developers.google.com/closure/templates/docs/security#in_urls

Original Q&A

There are 1 best solutions below

Rob On 14 April 2015 at 17:33

If the elements of $list are SanitizedContent instances instead of strings, then I think they should not be escaped.

Closure disable URL substitution with autoescape=strict

There are 1 best solutions below

Related Questions in GOOGLE-CHROME-EXTENSION

Related Questions in GOOGLE-CLOSURE

Related Questions in GOOGLE-CLOSURE-TEMPLATES

Related Questions in SOY-TEMPLATES

Trending Questions

Popular # Hahtags

Popular Questions