refactor: add `tel:` as safe URL protocol - Githubissues

a-h / templ

A language for writing HTML user interfaces in Go.

https://templ.guide/

MIT License

8.18k stars 267 forks source link

refactor: add `tel:` as safe URL protocol #655

Closed DannyJJK closed 6 months ago

DannyJJK commented 6 months ago

templ: v0.2.648

Currently trying to use this: templ.URL("tel:" + phoneNumber)

results in: about:invalid#TemplFailedSanitizationURL

I think this is because it only allows http, https and mailto, but I think tel should be added to this list. It's like mailto but for telephone numbers, so it will open up a phone application.

a-h commented 6 months ago

templ follows the lead of Hugo here: https://gohugo.io/functions/safe/url/ which only allows those schemes. There was a similar issue in Hugo's repo that got closed. https://github.com/gohugoio/hugo/issues/5721

However, Wordpress has a much richer set: https://developer.wordpress.org/reference/functions/wp_allowed_protocols/

While Google's SafeHTML only blocks javascript URLs: https://github.com/google/safehtml/blob/be23134998433fcf0135dda53593fc8f8bf4df7c/url.go#L123

I originally went with the most restrictive of the set to be safe, but after this further research, I'm happy to add tel, ftp and ftps.

I'd take a PR for that if you want to contribute.

The code is here: https://github.com/a-h/templ/blob/dbbb53b6a378691d8948c0dad7e8919f28d16f9d/runtime.go#L470-L478