A Tabbed View for Hugo

One thing I’ve been using for a lot of my recent posts (such as Backtracking Worms) is a tabbed view of code that can show arbitrarily tabs full of code or other content and render them wonderfully! For example, we can turn: {{< tabs >}} {{< sourcetab ruby "examples/art-station.rune" >}} {{< tab "art-station.svg" >}} {{< include "output/art-station.svg" >}} {{< /tab >}} {{< sourcetab ruby "examples/astrology-and-moons.rune" >}} {{< tab "astrology-and-moons.svg" >}} {{< include "output/astrology-and-moons.


Prevent JavaScript links by parsing URLs

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')

> safe_url('javascript:alert(1)')