I am rendering a soy template using Closure for a chrome extension and am having trouble inserting chrome-extension://*
links since they are being filtered by soy.$$filterNormalizeUri
While normally it would be undesirable to allow chrome-extension://*
links, it makes sense within a chrome extension.
Is there a way to whitelist the protocol or allow a particular case of unfiltered URL substitution (perhaps using soy.$$normalizeUri
instead of soy.$$filterNormalizeUri
)? The input is not user-defined and should be safe for consumption.
Example:
{template .t}
{foreach $src in $list}
<link rel="stylesheet" href="{$src}" />
{/foreach}
{/template}
Where $list
is a generated list of stylesheet paths beginning with chrome-extension://*
The error returned is Uncaught AssertionError: Failure: Bad value
chrome-extension://...for |filterNormalizeUri
Info about escaping: https://developers.google.com/closure/templates/docs/security#in_urls
If the elements of $list are SanitizedContent instances instead of strings, then I think they should not be escaped.