From 15a4b9b33715887001f6eff30721d41c0d4cfdd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?=
 <bjorn.erik.pedersen@gmail.com>
Date: Mon, 22 Apr 2024 10:56:02 +0200
Subject: [PATCH] tpl: Escape .Title in built-in image and link render hooks

Co-authored-by: Joe Mooring <joe@mooring.com>
---
 .hugo_build.lock                              |  0
 hugolib/content_render_hooks_test.go          | 50 +++++++++++++++++++
 .../_default/_markup/render-image.html        |  2 +-
 .../_default/_markup/render-link.html         |  2 +-
 4 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 .hugo_build.lock

diff --git a/.hugo_build.lock b/.hugo_build.lock
new file mode 100644
index 000000000..e69de29bb
diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go
index 36d1e626f..abe305762 100644
--- a/hugolib/content_render_hooks_test.go
+++ b/hugolib/content_render_hooks_test.go
@@ -14,6 +14,7 @@
 package hugolib
 
 import (
+	"fmt"
 	"strings"
 	"testing"
 )
@@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA
 			"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
 	})
 }
+
+func TestRenderHooksDefaultEscape(t *testing.T) {
+	files := `
+-- hugo.toml --
+[markup.goldmark.renderHooks]
+[markup.goldmark.renderHooks.image]
+  enableDefault = ENABLE
+[markup.goldmark.renderHooks.link]
+enableDefault = ENABLE
+[markup.goldmark.parser]
+wrapStandAloneImageWithinParagraph = false
+[markup.goldmark.parser.attribute]
+block = true
+title = true
+-- content/_index.md --
+---
+title: "Home"
+---
+Link: [text-"<>&](/destination-"<> 'title-"<>&')
+
+Image: ![alt-"<>&](/destination-"<> 'title-"<>&')
+{class="><script>alert()</script>" id="baz"}
+
+-- layouts/index.html --
+{{ .Content }}
+`
+
+	for _, enabled := range []bool{true, false} {
+		enabled := enabled
+		t.Run(fmt.Sprint(enabled), func(t *testing.T) {
+			t.Parallel()
+			b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled)))
+
+			// The escaping is slightly different between the two.
+			if enabled {
+				b.AssertFileContent("public/index.html",
+					"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+					"img alt=\"alt-&quot;&lt;&gt;&amp;\" src=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">",
+					"&gt;&lt;script&gt;",
+				)
+			} else {
+				b.AssertFileContent("public/index.html",
+					"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&quot;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+					"Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-&quot;&lt;&gt;&amp;\" title=\"title-&quot;&lt;&gt;&amp;\">",
+				)
+			}
+		})
+	}
+}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
index 013e31235..875763910 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
@@ -5,7 +5,7 @@
     {{- $src = .RelPermalink -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
+{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
 <img
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
index 8903d3dfb..30e4d2660 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
@@ -17,7 +17,7 @@
     {{- end -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := dict "href" $href "title" .Title -}}
+{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
 <a
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}