Fixing Subresource Integrity Hashes

I began adding subresource integrity and ran into an issue. The sample found in
the documentation does not produce a valid subresource integrity hash:

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384) }}"></script>

This check is failing as the get_file_hash() method is returning a hex-encoded
version of the digest instead of a base64 encoded version as defined in the
official spec and MDN.

I haven’t contributed to Zola before, but happy to open a PR with a fix and
update the documentation. The way I see it there are a couple of different
paths to getting to a point where valid integrity hashes could be generated.

The most flexible would likely to be to add two more built-in filters
hex_encode and hex_decode to match the existing base64_encode and
base64_decode. This doesn’t change any existing usage, and is potentially
useful for other things. An updated integrity attribute can be generated like

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384) | hex_decode | base64_encode }}"></script>

Not very ergonomic but it does work. The next reasonable option would be to add
another optional argument to the existing get_file_hash() method such as
encoding allowing you to specify a base64 encoding instead of a hex decoding.
The resulting usage would look something like the following:

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384, encoding=base64) }}"></script>

This seems like a relatively small change and shouldn’t have any impact on any
existing usage as long as encoding defaults to hex. The last idea is the most
ergonomic from a user’s perspective, use a dedicated helper for generating the
integrity string. I suspect this falls foul of keeping the feature set minimal,
but wanted to include it as an option anyway. Effectively this would behave the
same way as the existing get_file_hash but properly format the result
specifically for an integrity attribute:

<script src="{{ get_url(path="js/app.js") }}" integrity="{{ get_file_integrity(path="js/app.js", sha_type=384) }}"></script>

All of those options seem like they would be quite quick to implement, and easy
enough to update the documentation at the same time. What direction seems most

This is already fixed in 0.14: Next version by Keats · Pull Request #1293 · getzola/zola · GitHub

Oh awesome. I couldn’t find that when I searched. Glad to see it’s already been tackled!