mirror of
https://github.com/gohugoio/hugo.git
synced 2024-11-07 20:30:36 -05:00
tpl: Escape .Title in built-in image and link render hooks
Co-authored-by: Joe Mooring <joe@mooring.com>
This commit is contained in:
Bjørn Erik Pedersen
parent
10a8448eee
commit
15a4b9b337
4 changed files with 52 additions and 2 deletions
0
.hugo_build.lock
Normal file
0
.hugo_build.lock
Normal file
|
|
@ -14,6 +14,7 @@
|
||||||
package hugolib
|
package hugolib
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA
|
||||||
"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
|
"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestRenderHooksDefaultEscape(t *testing.T) {
|
||||||
|
files := `
|
||||||
|
-- hugo.toml --
|
||||||
|
[markup.goldmark.renderHooks]
|
||||||
|
[markup.goldmark.renderHooks.image]
|
||||||
|
enableDefault = ENABLE
|
||||||
|
[markup.goldmark.renderHooks.link]
|
||||||
|
enableDefault = ENABLE
|
||||||
|
[markup.goldmark.parser]
|
||||||
|
wrapStandAloneImageWithinParagraph = false
|
||||||
|
[markup.goldmark.parser.attribute]
|
||||||
|
block = true
|
||||||
|
title = true
|
||||||
|
-- content/_index.md --
|
||||||
|
---
|
||||||
|
title: "Home"
|
||||||
|
---
|
||||||
|
Link: [text-"<>&](/destination-"<> 'title-"<>&')
|
||||||
|
|
||||||
|
Image: ![alt-"<>&](/destination-"<> 'title-"<>&')
|
||||||
|
{class="><script>alert()</script>" id="baz"}
|
||||||
|
|
||||||
|
-- layouts/index.html --
|
||||||
|
{{ .Content }}
|
||||||
|
`
|
||||||
|
|
||||||
|
for _, enabled := range []bool{true, false} {
|
||||||
|
enabled := enabled
|
||||||
|
t.Run(fmt.Sprint(enabled), func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled)))
|
||||||
|
|
||||||
|
// The escaping is slightly different between the two.
|
||||||
|
if enabled {
|
||||||
|
b.AssertFileContent("public/index.html",
|
||||||
|
"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>",
|
||||||
|
"img alt=\"alt-"<>&\" src=\"/destination-%22%3C%3E\" title=\"title-"<>&\">",
|
||||||
|
"><script>",
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
b.AssertFileContent("public/index.html",
|
||||||
|
"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-"<>&\">text-"<>&</a>",
|
||||||
|
"Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-"<>&\" title=\"title-"<>&\">",
|
||||||
|
)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
{{- $src = .RelPermalink -}}
|
{{- $src = .RelPermalink -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
|
{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
|
||||||
<img
|
<img
|
||||||
{{- range $k, $v := $attributes -}}
|
{{- range $k, $v := $attributes -}}
|
||||||
{{- if $v -}}
|
{{- if $v -}}
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- $attributes := dict "href" $href "title" .Title -}}
|
{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
|
||||||
<a
|
<a
|
||||||
{{- range $k, $v := $attributes -}}
|
{{- range $k, $v := $attributes -}}
|
||||||
{{- if $v -}}
|
{{- if $v -}}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue