Commit graph

830 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
44954497bc
Always use content to resolve content type in resources.GetRemote
This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`.

This commit also adds ttf and otf media type definitions to Hugo.

Fixes #9302
Fixes #9301
2021-12-17 09:50:28 +01:00
Bjørn Erik Pedersen
22ef5da20d
Add resources.GetRemote
In Hugo 0.89 we added remote support to `resources.Get`.

In hindsight that was not a great idea, as a poll from many Hugo users showed. See Issue #9285 for more details.

After this commit `resources.Get` only supports local resource lookups. If you want to support both, you need to use a construct similar to:

Also improve some option case handling.

```
{{ resource := "" }}
{{ if (urls.Parse $url).IsAbs }}
{{ $resource = resources.GetRemote $url }}
{{ else }}
{{ $resource = resources.Get $url }}
{{ end }}
```

Fixes #9285
Fixes #9296
2021-12-17 09:33:51 +01:00
Paul Gottschling
5758c370ea
Allow for return partials with falsy arguments (#9298)
Partials with returns values are parsed, then inserted into a
partial return wrapper via wrapInPartialReturnWrapper in order
to assign the return value via *contextWrapper.Set. The
predefined wrapper template for partials inserts a partial's nodes
into a "with" template action in order to set dot to a
*contextWrapper within the partial. However, because "with" is
skipped if its argument is falsy, partials with falsy arguments
were not being evaluated.

This replaces the "with" action in the partial wrapper with a
"range" action that isn't skipped if .Arg is falsy.

Fixes #7528
2021-12-17 08:35:21 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
3bc6830411 Remove the retries on error in remote resources.Get
Fixes #9271
See  #9259
2021-12-10 11:10:41 +01:00
Bjørn Erik Pedersen
e4d6ec94b5 Allow user to handle/ignore errors in resources.Get
In Hugo 0.90.0 we introduced remote support in `resources.Get`.

But with remote resources comes with a higher chance of failing a build (network issues, remote server down etc.).

Before this commit we always failed the build on any unexpected error.

This commit allows the user to check for any error (and potentially fall back to a default local resource):

```htmlbars
{{ $result := resources.Get "https://gohugo.io/img/hugo-logo.png" }}
{{ with $result }}
        {{ if .Err }}
        {{/* log the error, insert a default image etc. *}}
        {{ else }}
        <img src="{{ .RelPermalink }}" width="{{ .Width }}" height="{{ .Height }}" alt="">
        {{ end }}
{{ end }}
```

Note that the default behaviour is still to fail the build, but we will delay that error until you start using the `Resource`.

Fixes #9529
2021-12-10 11:10:41 +01:00
Joe Mooring
5538507e90 tpl/transform: Optional options for highlight func
Closes #9249
Fixes gohugoio/hugoDocs#63
2021-12-07 11:26:56 +01:00
Paul van Brouwershaven
0eaaa8fee3
Implement XML data support
Example:

```
{{ with resources.Get "https://example.com/rss.xml" | transform.Unmarshal }}
    {{ range .channel.item }}
        <strong>{{ .title | plainify | htmlUnescape }}</strong><br />
        <p>{{ .description | plainify | htmlUnescape }}</p>
        {{ $link := .link | plainify | htmlUnescape }}
        <a href="{{ $link }}">{{ $link }}</a><br />
        <hr>
    {{ end }}
{{ end }}
```

Closes #4470
2021-12-02 17:30:36 +01:00
Bjørn Erik Pedersen
93572e5318 resources: Add timeout to the HTTP request in Get
Workaround for https://github.com/golang/go/issues/49366
2021-12-02 16:11:14 +01:00
Joe Mooring
133e4bfbee Remove empty href element from pagination template
Closes #9149
2021-12-02 09:14:30 +01:00
Paul van Brouwershaven
8aa7257f65
Add remote support to resources.Get
Closes #5255
Supports #9044
2021-11-30 11:49:51 +01:00
Joe Mooring
75a823a36a Add deprecation warning to google_news template
Closes #9172
2021-11-21 11:25:17 +01:00
Joe Mooring
04a3b45db4 Fix description of lang.FormatNumberCustom
It currently refers to itself as a simple alternative, when it should
refer to lang.FormatNumber.
2021-11-01 18:54:43 +01:00
Joe Mooring
0cc39af682 Update Twitter shortcode oEmbed endpoint
The existing endpoint will be retired and removed on November 23, 2021.
References:

- https://twittercommunity.com/t/consolidating-the-oembed-functionality/154690
- https://developer.twitter.com/en/docs/twitter-for-websites/oembed-api#Embedded

This is a backward compatible change.

The existing endpoint requires a single parameter: the id of the tweet.

The new endpoint requires two parameters: the id of the tweet, and the
user with whom it is associated. For the moment, if you supply the wrong
user, the request will be redirected (with a small delay) to the correct
user/id pair. This behavior is undocumented, but we will take advantage
of it as Hugo site authors transition to the new syntax.

{{< tweet 1453110110599868418 >}} --> works, throws warning, deprecate at some point

{{< tweet user="SanDiegoZoo" id="1453110110599868418" >}} --> new syntax

Fixes #8130
2021-11-01 15:51:00 +01:00
Bjørn Erik Pedersen
e82cbd746f
tpl/time: Use configured location when date passed to Format is string
Updates #9084
2021-10-30 16:09:38 +02:00
Brad
e55466ce70
tpl/path: Add path.Clean
Fixes #8885
2021-10-05 16:15:10 +02:00
Paul Gottschling
a864ffe9ac Clarify "precision" in currency format functions
The documentation of the FormatAccounting and FormatCurrency
functions could be clearer in terms of how the precision param
works. This commit makes it more explicit that adding a precision
of < 2 will not format the return values to include fewer decimals.

Resolves #8858
2021-09-22 20:00:30 +02:00
Bjørn Erik Pedersen
abd969a670
Revert "tpl/time: Handle nil values in time.AsTime"
This reverts commit 3e11072892.
2021-08-10 13:21:49 +02:00
Bjørn Erik Pedersen
3e11072892
tpl/time: Handle nil values in time.AsTime
Closes #8865
2021-08-09 18:44:35 +02:00
Bjørn Erik Pedersen
9bba9a3a98
parser: Indent TOML tables
Fixes #8850
2021-08-04 11:39:16 +02:00
Salim B
d6c8cd7718 Fix lang.FormatPercent description
Successor PR for https://github.com/gohugoio/hugoDocs/pull/1504
2021-08-03 16:56:06 +02:00
Bjørn Erik Pedersen
9ff17c3324
tpl/time: Adjust tests to handle matching local time zones
Closes #8843
2021-08-03 08:54:45 +02:00
Bjørn Erik Pedersen
3a96655592 Reduce binary size vs locale, update to CLDR v36.1
Test building with `go build -ldflags="-s -w"`

Hugo 0.86.2: 46MB
Before this commit: 77MB
After this commit: 54MB

Fixes #8839
Fixes #8841
2021-08-02 19:40:32 +02:00
Bjørn Erik Pedersen
6c70e1f22f Fix error handling for the time func alias
Fixes #8835
2021-08-01 13:39:30 +02:00
Bjørn Erik Pedersen
7907d24ba1
tpl/lang: Add new localized versions of lang.FormatNumber etc.
Fixes #8820
2021-07-29 16:40:06 +02:00
Bjørn Erik Pedersen
b5de37ee79
Handle toml.LocalDate and toml.LocalDateTime in front matter
See #8801
2021-07-28 18:02:42 +02:00
Bjørn Erik Pedersen
a3701e0931 Switch to go-toml v2
We have been using `go-toml` for language files only. This commit makes it the only TOML library.

It's spec compliant and very fast.

A benchark building a site with 200 pages with TOML front matter:

```bash
name                                  old time/op    new time/op    delta
SiteNew/Regular_TOML_front_matter-16    48.5ms ± 1%    47.1ms ± 1%  -2.85%  (p=0.029 n=4+4)

name                                  old alloc/op   new alloc/op   delta
SiteNew/Regular_TOML_front_matter-16    16.9MB ± 0%    16.7MB ± 0%  -1.56%  (p=0.029 n=4+4)

name                                  old allocs/op  new allocs/op  delta
SiteNew/Regular_TOML_front_matter-16      302k ± 0%      296k ± 0%  -2.20%  (p=0.029 n=4+4)
```

Note that the front matter unmarshaling is only a small part of building a site, so the above is very good.

Fixes #8801
2021-07-28 11:51:13 +02:00
Bjørn Erik Pedersen
efa5760db5 Add timezone support for front matter dates without one
Fixes #8810
2021-07-27 19:02:48 +02:00
Bjørn Erik Pedersen
a57dda854b Localize time.Format
Fixes #8797
2021-07-27 19:02:48 +02:00
Bjørn Erik Pedersen
022c479551
hugofs: Make FileMeta a struct
This commit started out investigating a `concurrent map read write` issue, ending by replacing the map with a struct.

This is easier to reason about, and it's more effective:

```
name                                  old time/op    new time/op    delta
SiteNew/Regular_Deep_content_tree-16    71.5ms ± 3%    69.4ms ± 5%    ~     (p=0.200 n=4+4)

name                                  old alloc/op   new alloc/op   delta
SiteNew/Regular_Deep_content_tree-16    29.7MB ± 0%    27.9MB ± 0%  -5.82%  (p=0.029 n=4+4)

name                                  old allocs/op  new allocs/op  delta
SiteNew/Regular_Deep_content_tree-16      313k ± 0%      303k ± 0%  -3.35%  (p=0.029 n=4+4)
```

See #8749
2021-07-15 17:14:26 +02:00
Raoul
f75f90079a Fix tab selection of disabled items in internal pagination template 2021-07-05 10:30:59 +02:00
Joe Mooring
34e4742f0c Fix date format in schema and opengraph templates
Fixes #8671
2021-06-29 20:20:38 +02:00
Bjørn Erik Pedersen
9096842b04
tpl: Rename err-missing-instagram-accesstoken => error-missing-instagram-accesstoken
To get it in line with the other.
2021-06-18 12:27:37 +02:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Bjørn Erik Pedersen
a91cd7652f
docs: Regenerate docs helper 2021-06-08 18:52:38 +02:00
Joe Mooring
73483d0f9e
tpl: Add a terse pagination template variant to improve performance
These calls are equivalent:

{{ template "_internal/pagination.html" . }}
{{ template "_internal/pagination.html" (dict "page" .) }}
{{ template "_internal/pagination.html" (dict "page" . "format" "default") }}

To use an alternate format:

{{ template "_internal/pagination.html" (dict "page" . "format" "terse") }}

Fixes #8599
2021-06-08 10:41:21 +02:00
Bjørn Erik Pedersen
9b5debe4b8 Upgrade Instagram shortcode
Fixes #7879
2021-06-08 10:30:45 +02:00
Bjørn Erik Pedersen
f55d2f4376
tpl/fmt: Add erroridf template func
Fixes #8613
2021-06-07 19:11:03 +02:00
Bjørn Erik Pedersen
282f1aa3db
tpl/data: Print response body on HTTP errors
Which makes it easier to debug.
2021-06-07 12:06:27 +02:00
Bjørn Erik Pedersen
fcd63de3a5 tpl/data: Misc header improvements, tests, allow multiple headers of same key
Closes #5617
2021-06-06 13:32:12 +02:00
Paul Chamberlain
150d75738b tpl/data: Allows user-defined HTTP headers with getJSON and getCSV
Updates #5617
2021-06-06 13:32:12 +02:00
Joe Mooring
01758f99b9 Add math.Max and math.Min
Closes #8583
2021-05-28 20:38:45 +02:00
Ujjwal Goyal
c46fc838a9 tpl: Allow 'Querify' to take lone slice/interface argument
Querify can now take a lone string/interface slice (with string
keys) as a parameter, or multiple string parameters, to build
URL queries.

Querify earlier used 'Dictionary' to add key/value pairs to a
map to build URL queries. Changed to dynamically generate ordered
key/value pairs. Cannot take string slice as key (earlier
possible due to Dictionary).

Added tests and benchmarks for querify.

Closes #6735
2021-05-09 13:14:14 +02:00
Julien Midedji
7a2c10ae60
tpl: Fix countwords to handle special chars
Fixes #8479
2021-05-03 09:10:06 +02:00
Bjørn Erik Pedersen
3cc4fdd6f3 deps: Update getkin/kin-openapi v0.60.0 => v0.61. 2021-04-30 14:27:21 +02:00
Joe Mooring
f6745ad358 Remove .Site.Authors from embedded templates
Closes #4458
2021-04-29 17:07:05 +02:00
Bjørn Erik Pedersen
e4dc9a82b5 tpl/collections: Fix where on type mismatches
Fixes #8353
2021-04-23 18:06:49 +02:00
Bjørn Erik Pedersen
0d86a32d8f Make the shortcode template lookup for output formats stable
Fixes #7774
2021-04-23 15:04:35 +02:00
Bjørn Erik Pedersen
bca40cf0c9 Fix Params case handling in where with slices of structs (e.g. Pages)
Fixes #7009
2021-04-21 19:28:18 +02:00
Joe Mooring
9b34d42bb2 Remove extraneous space from figure shortcode
Fixes #8401
2021-04-15 14:43:32 +02:00