I understand why scripts are disallowed, since Tera is a template engine you might you use to render html pages on request… but considering the fact that we’re using Zola to render our content and generate a static site, shouldn’t there be a way to do this? I just want to install some tracking code that I control. Can I do this with templates, or do I have to modify the final output?
What do you mean by scripts are disallowed? Of course you can use any JS you want in your site.
Every time I modify one of the html templates and place a script
tag, it just disappears when I run zola serve
. Am I missing something?
I suppose I should mention that I’m not loading the script via src
attribute, and am placing the code directly inside the body of the tag.
Are you modifying a template in the public
directory by any chance? That’s the output directory that gets re-regenerated on changes, you need to edit templates in the templates
directory. If it isn’t that, I don’t know what’s happening, Zola doesn’t edit any of the templates in the templates
directory, it only reads them.
Nope. I’m modifying base.html
in my project’s templates
, folder, which extends the base.html
from my theme. I’ve tried modifying the theme templates directly as well, but also no success. script
tags disappear in the output to public
.
I will say I saw in one of the tests for Tera that scripts were specifically being tested. The body of the script tag in the test had alert('pwned')
. I assumed it was Tera that’s removing the tags, but haven’t dug any deeper to confirm that or see what else was going on yet.
Tera/Zola does not modify loaded templates in any way and you can definitely have scripts: https://github.com/Keats/vincentprouillet/blob/master/templates/index.html#L13-L21
That test in Tera tests that a variable is escaped (to prevent XSS). It’s unrelated to your issue.
Is the repo public or can you make a small reproduction?
Right. I assumed Tera was removing script
tags to mitigate XSS attacks where the content may be provided by a database or some other source that may have been compromised.
I’ve dug a little further into the issue and the issue is actually related to how I’m extending a template from the theme I’m using. I’ve extended one of the theme’s templates and overridden a specific block, but for whatever reason it’s not being overridden like the zola documentation suggests: https://www.getzola.org/documentation/themes/installing-and-using-themes/
Here’s an example: https://github.com/johnhalbert/zola-scripts
Try to add <script type="text/javascript">
instead <script>
Actually, the issue seems to be something with how templates can be extended. The promise on the Zola site - https://www.getzola.org/documentation/themes/installing-and-using-themes/ - is that I can name my template the same as the template from my theme, extend it, and then override any blocks that I’d like. This doesn’t work, and is shown in the example repo I posted above.
I can extend a template from my theme, and override blocks in it, but the file name in my templates directory has to be different. Anyone know if I’m doing anything wrong here?
Thanks for the reproduction! That’s an issue in Zola I’ve just created an issue for: https://github.com/getzola/zola/issues/937