diff --git a/internal/templates/template.go b/internal/templates/template.go
index c20035e..3fab6ac 100644
--- a/internal/templates/template.go
+++ b/internal/templates/template.go
@@ -47,9 +47,12 @@ func (m *Manager) loadTemplates() error {
"eq": func(a, b string) bool {
return a == b
},
- // Security: safeHTML function removed to prevent XSS attacks
- // Go's html/template package automatically escapes HTML by default
- // If you need to render HTML, sanitize it first with a proper library
+ // safeHTML marks string as safe HTML to prevent escaping
+ // SECURITY NOTE: Only use with trusted content from CV YAML files
+ // Never use with user-generated content to prevent XSS attacks
+ "safeHTML": func(s string) template.HTML {
+ return template.HTML(s)
+ },
}
// Parse main templates
diff --git a/templates/cv-content.html b/templates/cv-content.html
index b9b08aa..51a4356 100644
--- a/templates/cv-content.html
+++ b/templates/cv-content.html
@@ -119,7 +119,7 @@
{{.StartDate}} / {{if .Current}}{{if eq $.Lang "es"}}presente{{else}}now{{end}}{{else}}{{.EndDate}}{{end}} - ({{.Location}})
{{if .ShortDescription}}
- {{.ShortDescription}}
+ {{.ShortDescription | safeHTML}}
{{end}}
{{if .Responsibilities}}
@@ -177,7 +177,7 @@
{{.Issuer}} - {{.Date}}
{{if .ShortDescription}}
- {{.ShortDescription}}
+ {{.ShortDescription | safeHTML}}
{{end}}
{{if .Responsibilities}}
@@ -229,7 +229,7 @@
{{if .StartDate}}{{.StartDate}}{{if .Current}}{{if .DynamicDate}} / {{.DynamicDate}}{{else}} / {{if eq $.Lang "es"}}presente{{else}}ahora{{end}}{{end}}{{end}}{{end}} - ({{.Location}})
{{if .ShortDescription}}
- {{.ShortDescription}}
+ {{.ShortDescription | safeHTML}}
{{end}}
{{if .Responsibilities}}