fix: restore HTML rendering in ShortDescription fields

Previously, HTML in short descriptions was being escaped and displayed as raw text instead of rendering properly. This happened because the safeHTML template function had been removed for security reasons. Changes: - Added safeHTML function back to template.FuncMap (template.go:53-55) - Updated three template locations to use safeHTML pipe: * Experience descriptions (cv-content.html:122) * Award descriptions (cv-content.html:180) * Project descriptions (cv-content.html:232) Security note: The safeHTML function is safe to use here because CV data comes from trusted YAML files controlled by the site owner, not user input. Clear documentation added to prevent misuse with untrusted content. Examples now rendering correctly: - Award: "Premio por excelencia en marketing B2B...con <a href=...>Clicplan</a>" - Projects: Links to Lidering, Jorpack, Delivery Bikes BCN, Mobbeel
2025-11-12 11:52:52 +00:00
parent c1506a4d1e
commit a90d923956
2 changed files with 9 additions and 6 deletions
@@ -47,9 +47,12 @@ func (m *Manager) loadTemplates() error {
 		"eq": func(a, b string) bool {
 			return a == b
 		},
-		// Security: safeHTML function removed to prevent XSS attacks
-		// Go's html/template package automatically escapes HTML by default
-		// If you need to render HTML, sanitize it first with a proper library
+		// safeHTML marks string as safe HTML to prevent escaping
+		// SECURITY NOTE: Only use with trusted content from CV YAML files
+		// Never use with user-generated content to prevent XSS attacks
+		"safeHTML": func(s string) template.HTML {
+			return template.HTML(s)
+		},
 	}

 	// Parse main templates
@@ -119,7 +119,7 @@
                        <small>{{.StartDate}} / {{if .Current}}{{if eq $.Lang "es"}}presente{{else}}now{{end}}{{else}}{{.EndDate}}{{end}} - ({{.Location}})</small>

                        {{if .ShortDescription}}
-                        <p class="experience-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="experience-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                        {{end}}

                        {{if .Responsibilities}}
@@ -177,7 +177,7 @@
                        <small>{{.Issuer}} - {{.Date}}</small>

                        {{if .ShortDescription}}
-                        <p class="award-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="award-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                        {{end}}

                        {{if .Responsibilities}}
@@ -229,7 +229,7 @@
                        <small>{{if .StartDate}}{{.StartDate}}{{if .Current}}{{if .DynamicDate}} / {{.DynamicDate}}{{else}} / {{if eq $.Lang "es"}}presente{{else}}ahora{{end}}{{end}}{{end}}{{end}} - ({{.Location}})</small>

                        {{if .ShortDescription}}
-                        <p class="project-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="project-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                        {{end}}

                        {{if .Responsibilities}}