diff options
author | Bjørn Erik Pedersen <[email protected]> | 2024-04-22 10:56:02 +0200 |
---|---|---|
committer | Bjørn Erik Pedersen <[email protected]> | 2024-04-22 16:54:24 +0200 |
commit | 15a4b9b33715887001f6eff30721d41c0d4cfdd1 (patch) | |
tree | 75450b44c78621df1035f556a5090ce192505917 | |
parent | 10a8448eee99708912295aaade2c8ce9c352c984 (diff) | |
download | hugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.tar.gz hugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.zip |
tpl: Escape .Title in built-in image and link render hooks
Co-authored-by: Joe Mooring <[email protected]>
-rw-r--r-- | .hugo_build.lock | 0 | ||||
-rw-r--r-- | hugolib/content_render_hooks_test.go | 50 | ||||
-rw-r--r-- | tpl/tplimpl/embedded/templates/_default/_markup/render-image.html | 2 | ||||
-rw-r--r-- | tpl/tplimpl/embedded/templates/_default/_markup/render-link.html | 2 |
4 files changed, 52 insertions, 2 deletions
diff --git a/.hugo_build.lock b/.hugo_build.lock new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/.hugo_build.lock diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go index 36d1e626f..abe305762 100644 --- a/hugolib/content_render_hooks_test.go +++ b/hugolib/content_render_hooks_test.go @@ -14,6 +14,7 @@ package hugolib import ( + "fmt" "strings" "testing" ) @@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA "p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">") }) } + +func TestRenderHooksDefaultEscape(t *testing.T) { + files := ` +-- hugo.toml -- +[markup.goldmark.renderHooks] +[markup.goldmark.renderHooks.image] + enableDefault = ENABLE +[markup.goldmark.renderHooks.link] +enableDefault = ENABLE +[markup.goldmark.parser] +wrapStandAloneImageWithinParagraph = false +[markup.goldmark.parser.attribute] +block = true +title = true +-- content/_index.md -- +--- +title: "Home" +--- +Link: [text-"<>&](/destination-"<> 'title-"<>&') + +Image: ![alt-"<>&](/destination-"<> 'title-"<>&') +{class="><script>alert()</script>" id="baz"} + +-- layouts/index.html -- +{{ .Content }} +` + + for _, enabled := range []bool{true, false} { + enabled := enabled + t.Run(fmt.Sprint(enabled), func(t *testing.T) { + t.Parallel() + b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled))) + + // The escaping is slightly different between the two. + if enabled { + b.AssertFileContent("public/index.html", + "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>", + "img alt=\"alt-"<>&\" src=\"/destination-%22%3C%3E\" title=\"title-"<>&\">", + "><script>", + ) + } else { + b.AssertFileContent("public/index.html", + "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>", + "Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-"<>&\" title=\"title-"<>&\">", + ) + } + }) + } +} diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html index 013e31235..875763910 100644 --- a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html +++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html @@ -5,7 +5,7 @@ {{- $src = .RelPermalink -}} {{- end -}} {{- end -}} -{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}} +{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}} <img {{- range $k, $v := $attributes -}} {{- if $v -}} diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html index 8903d3dfb..30e4d2660 100644 --- a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html +++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html @@ -17,7 +17,7 @@ {{- end -}} {{- end -}} {{- end -}} -{{- $attributes := dict "href" $href "title" .Title -}} +{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}} <a {{- range $k, $v := $attributes -}} {{- if $v -}} |