aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorBjørn Erik Pedersen <[email protected]>2024-04-22 10:56:02 +0200
committerBjørn Erik Pedersen <[email protected]>2024-04-22 16:54:24 +0200
commit15a4b9b33715887001f6eff30721d41c0d4cfdd1 (patch)
tree75450b44c78621df1035f556a5090ce192505917
parent10a8448eee99708912295aaade2c8ce9c352c984 (diff)
downloadhugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.tar.gz
hugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.zip
tpl: Escape .Title in built-in image and link render hooks
Co-authored-by: Joe Mooring <[email protected]>
-rw-r--r--.hugo_build.lock0
-rw-r--r--hugolib/content_render_hooks_test.go50
-rw-r--r--tpl/tplimpl/embedded/templates/_default/_markup/render-image.html2
-rw-r--r--tpl/tplimpl/embedded/templates/_default/_markup/render-link.html2
4 files changed, 52 insertions, 2 deletions
diff --git a/.hugo_build.lock b/.hugo_build.lock
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/.hugo_build.lock
diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go
index 36d1e626f..abe305762 100644
--- a/hugolib/content_render_hooks_test.go
+++ b/hugolib/content_render_hooks_test.go
@@ -14,6 +14,7 @@
package hugolib
import (
+ "fmt"
"strings"
"testing"
)
@@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA
"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
})
}
+
+func TestRenderHooksDefaultEscape(t *testing.T) {
+ files := `
+-- hugo.toml --
+[markup.goldmark.renderHooks]
+[markup.goldmark.renderHooks.image]
+ enableDefault = ENABLE
+[markup.goldmark.renderHooks.link]
+enableDefault = ENABLE
+[markup.goldmark.parser]
+wrapStandAloneImageWithinParagraph = false
+[markup.goldmark.parser.attribute]
+block = true
+title = true
+-- content/_index.md --
+---
+title: "Home"
+---
+Link: [text-"<>&](/destination-"<> 'title-"<>&')
+
+Image: ![alt-"<>&](/destination-"<> 'title-"<>&')
+{class="><script>alert()</script>" id="baz"}
+
+-- layouts/index.html --
+{{ .Content }}
+`
+
+ for _, enabled := range []bool{true, false} {
+ enabled := enabled
+ t.Run(fmt.Sprint(enabled), func(t *testing.T) {
+ t.Parallel()
+ b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled)))
+
+ // The escaping is slightly different between the two.
+ if enabled {
+ b.AssertFileContent("public/index.html",
+ "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+ "img alt=\"alt-&quot;&lt;&gt;&amp;\" src=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">",
+ "&gt;&lt;script&gt;",
+ )
+ } else {
+ b.AssertFileContent("public/index.html",
+ "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&quot;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+ "Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-&quot;&lt;&gt;&amp;\" title=\"title-&quot;&lt;&gt;&amp;\">",
+ )
+ }
+ })
+ }
+}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
index 013e31235..875763910 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
@@ -5,7 +5,7 @@
{{- $src = .RelPermalink -}}
{{- end -}}
{{- end -}}
-{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
+{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
<img
{{- range $k, $v := $attributes -}}
{{- if $v -}}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
index 8903d3dfb..30e4d2660 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
@@ -17,7 +17,7 @@
{{- end -}}
{{- end -}}
{{- end -}}
-{{- $attributes := dict "href" $href "title" .Title -}}
+{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
<a
{{- range $k, $v := $attributes -}}
{{- if $v -}}