diff options
| author | Bjørn Erik Pedersen <[email protected]> | 2024-04-22 10:56:02 +0200 |
|---|---|---|
| committer | Bjørn Erik Pedersen <[email protected]> | 2024-04-22 16:54:24 +0200 |
| commit | 15a4b9b33715887001f6eff30721d41c0d4cfdd1 (patch) | |
| tree | 75450b44c78621df1035f556a5090ce192505917 /hugolib | |
| parent | 10a8448eee99708912295aaade2c8ce9c352c984 (diff) | |
| download | hugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.tar.gz hugo-15a4b9b33715887001f6eff30721d41c0d4cfdd1.zip | |
tpl: Escape .Title in built-in image and link render hooks
Co-authored-by: Joe Mooring <[email protected]>
Diffstat (limited to 'hugolib')
| -rw-r--r-- | hugolib/content_render_hooks_test.go | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go index 36d1e626f..abe305762 100644 --- a/hugolib/content_render_hooks_test.go +++ b/hugolib/content_render_hooks_test.go @@ -14,6 +14,7 @@ package hugolib import ( + "fmt" "strings" "testing" ) @@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA "p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">") }) } + +func TestRenderHooksDefaultEscape(t *testing.T) { + files := ` +-- hugo.toml -- +[markup.goldmark.renderHooks] +[markup.goldmark.renderHooks.image] + enableDefault = ENABLE +[markup.goldmark.renderHooks.link] +enableDefault = ENABLE +[markup.goldmark.parser] +wrapStandAloneImageWithinParagraph = false +[markup.goldmark.parser.attribute] +block = true +title = true +-- content/_index.md -- +--- +title: "Home" +--- +Link: [text-"<>&](/destination-"<> 'title-"<>&') + +Image: ![alt-"<>&](/destination-"<> 'title-"<>&') +{class="><script>alert()</script>" id="baz"} + +-- layouts/index.html -- +{{ .Content }} +` + + for _, enabled := range []bool{true, false} { + enabled := enabled + t.Run(fmt.Sprint(enabled), func(t *testing.T) { + t.Parallel() + b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled))) + + // The escaping is slightly different between the two. + if enabled { + b.AssertFileContent("public/index.html", + "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>", + "img alt=\"alt-"<>&\" src=\"/destination-%22%3C%3E\" title=\"title-"<>&\">", + "><script>", + ) + } else { + b.AssertFileContent("public/index.html", + "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>", + "Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-"<>&\" title=\"title-"<>&\">", + ) + } + }) + } +} |