From a90d923956d05e2c67700aa682789d5b2a8ba254 Mon Sep 17 00:00:00 2001
From: juanatsap <juanatsap@gmail.com>
Date: Wed, 12 Nov 2025 11:52:52 +0000
Subject: [PATCH] fix: restore HTML rendering in ShortDescription fields

Previously, HTML in short descriptions was being escaped and displayed
as raw text instead of rendering properly. This happened because the
safeHTML template function had been removed for security reasons.

Changes:
- Added safeHTML function back to template.FuncMap (template.go:53-55)
- Updated three template locations to use safeHTML pipe:
  * Experience descriptions (cv-content.html:122)
  * Award descriptions (cv-content.html:180)
  * Project descriptions (cv-content.html:232)

Security note:
The safeHTML function is safe to use here because CV data comes from
trusted YAML files controlled by the site owner, not user input.
Clear documentation added to prevent misuse with untrusted content.

Examples now rendering correctly:
- Award: "Premio por excelencia en marketing B2B...con <a href=...>Clicplan</a>"
- Projects: Links to Lidering, Jorpack, Delivery Bikes BCN, Mobbeel
---
 internal/templates/template.go | 9 ++++++---
 templates/cv-content.html      | 6 +++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/internal/templates/template.go b/internal/templates/template.go
index c20035e..3fab6ac 100644
--- a/internal/templates/template.go
+++ b/internal/templates/template.go
@@ -47,9 +47,12 @@ func (m *Manager) loadTemplates() error {
 		"eq": func(a, b string) bool {
 			return a == b
 		},
-		// Security: safeHTML function removed to prevent XSS attacks
-		// Go's html/template package automatically escapes HTML by default
-		// If you need to render HTML, sanitize it first with a proper library
+		// safeHTML marks string as safe HTML to prevent escaping
+		// SECURITY NOTE: Only use with trusted content from CV YAML files
+		// Never use with user-generated content to prevent XSS attacks
+		"safeHTML": func(s string) template.HTML {
+			return template.HTML(s)
+		},
 	}
 
 	// Parse main templates
diff --git a/templates/cv-content.html b/templates/cv-content.html
index b9b08aa..51a4356 100644
--- a/templates/cv-content.html
+++ b/templates/cv-content.html
@@ -119,7 +119,7 @@
                         <small>{{.StartDate}} / {{if .Current}}{{if eq $.Lang "es"}}presente{{else}}now{{end}}{{else}}{{.EndDate}}{{end}} - ({{.Location}})</small>
 
                         {{if .ShortDescription}}
-                        <p class="experience-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="experience-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                         {{end}}
 
                         {{if .Responsibilities}}
@@ -177,7 +177,7 @@
                         <small>{{.Issuer}} - {{.Date}}</small>
 
                         {{if .ShortDescription}}
-                        <p class="award-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="award-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                         {{end}}
 
                         {{if .Responsibilities}}
@@ -229,7 +229,7 @@
                         <small>{{if .StartDate}}{{.StartDate}}{{if .Current}}{{if .DynamicDate}} / {{.DynamicDate}}{{else}} / {{if eq $.Lang "es"}}presente{{else}}ahora{{end}}{{end}}{{end}}{{end}} - ({{.Location}})</small>
 
                         {{if .ShortDescription}}
-                        <p class="project-desc short-desc">{{.ShortDescription}}</p>
+                        <p class="project-desc short-desc">{{.ShortDescription | safeHTML}}</p>
                         {{end}}
 
                         {{if .Responsibilities}}