tpl: Escape .Title in built-in image and link render hooks - hugo - [fork] hugo port for 9front
(HTM) git clone git@git.drkhsh.at/hugo.git
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) Submodules
(DIR) README
(DIR) LICENSE
---
(DIR) commit 15a4b9b33715887001f6eff30721d41c0d4cfdd1
(DIR) parent 10a8448eee99708912295aaade2c8ce9c352c984
(HTM) Author: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Date: Mon, 22 Apr 2024 10:56:02 +0200
tpl: Escape .Title in built-in image and link render hooks
Co-authored-by: Joe Mooring <joe@mooring.com>
Diffstat:
A .hugo_build.lock | 0
M hugolib/content_render_hooks_test.… | 50 +++++++++++++++++++++++++++++++
M tpl/tplimpl/embedded/templates/_de… | 2 +-
M tpl/tplimpl/embedded/templates/_de… | 2 +-
4 files changed, 52 insertions(+), 2 deletions(-)
---
(DIR) diff --git a/.hugo_build.lock b/.hugo_build.lock
(DIR) diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go
@@ -14,6 +14,7 @@
package hugolib
import (
+ "fmt"
"strings"
"testing"
)
@@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA
"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
})
}
+
+func TestRenderHooksDefaultEscape(t *testing.T) {
+ files := `
+-- hugo.toml --
+[markup.goldmark.renderHooks]
+[markup.goldmark.renderHooks.image]
+ enableDefault = ENABLE
+[markup.goldmark.renderHooks.link]
+enableDefault = ENABLE
+[markup.goldmark.parser]
+wrapStandAloneImageWithinParagraph = false
+[markup.goldmark.parser.attribute]
+block = true
+title = true
+-- content/_index.md --
+---
+title: "Home"
+---
+Link: [text-"<>&](/destination-"<> 'title-"<>&')
+
+Image: ![alt-"<>&](/destination-"<> 'title-"<>&')
+{class="><script>alert()</script>" id="baz"}
+
+-- layouts/index.html --
+{{ .Content }}
+`
+
+ for _, enabled := range []bool{true, false} {
+ enabled := enabled
+ t.Run(fmt.Sprint(enabled), func(t *testing.T) {
+ t.Parallel()
+ b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled)))
+
+ // The escaping is slightly different between the two.
+ if enabled {
+ b.AssertFileContent("public/index.html",
+ "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>",
+ "img alt=\"alt-"<>&\" src=\"/destination-%22%3C%3E\" title=\"title-"<>&\">",
+ "><script>",
+ )
+ } else {
+ b.AssertFileContent("public/index.html",
+ "Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>",
+ "Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-"<>&\" title=\"title-"<>&\">",
+ )
+ }
+ })
+ }
+}
(DIR) diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
@@ -5,7 +5,7 @@
{{- $src = .RelPermalink -}}
{{- end -}}
{{- end -}}
-{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
+{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
<img
{{- range $k, $v := $attributes -}}
{{- if $v -}}
(DIR) diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
@@ -17,7 +17,7 @@
{{- end -}}
{{- end -}}
{{- end -}}
-{{- $attributes := dict "href" $href "title" .Title -}}
+{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
<a
{{- range $k, $v := $attributes -}}
{{- if $v -}}