Commit graph

69 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
1651beb2c1 Remove mmark
Closes #9350
2022-01-04 17:10:39 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Helder Pereira
7a15edafe2 highlight: Add tabindex when code is not highlighted 2021-08-23 12:28:45 +02:00
Helder Pereira
d966f5d08d highlight: Remove some pygments references 2021-08-21 15:50:49 +02:00
rhymes
f27e542442
markup: Add tabindex="0" to default <pre> wrapper
Currently the generated `<pre>` element isn't fully accessible as it can't be focused by keyboard users.
To make this fully accessible, the attribute `tabindex="0"` should be added to the `<pre>` tag.

Closes #7194
2021-07-15 16:48:39 +02:00
Bjørn Erik Pedersen
805664818d markup/goldmark: Rename/reorder the hook methods
To make them easier to follow.

See #8755
2021-07-15 10:14:52 +02:00
Bjørn Erik Pedersen
ee3d2bb1d3 markup/goldmark: Support auto links in render hook
Fixes #8755
2021-07-15 10:14:52 +02:00
Bjørn Erik Pedersen
a7e3da242f
markup: Rename Header(s) to Heading(s) in ToC struct
Because that is what it is.
2021-06-19 18:19:46 +02:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Niklas Fasching
fa432b17b3 org: Disable broken pretty relative links feature
go-org PrettyRelativeLinks rewrites relative org links by
- adding `../` in front
- removing any `.org` suffix

This was meant to play well with hugo pretty urls (which pretty much renders
posts in a subdirectory without the file suffix) and allow use of normal org
file links to reference other posts.

There's a lot of edge cases I didn't consider and multiple bug reports in
go-org [1] later I don't think the complexity of handling those edge cases is
worth it - so let's disable it.

[1]
- https://github.com/niklasfasching/go-org/issues/53
- 5dadf8c4c2 (comment)
- https://github.com/niklasfasching/go-org/issues/51
2021-04-12 08:08:53 +02:00
Bjørn Erik Pedersen
b725253f9e Attributes for code fences should be placed after the lang indicator only
Fixes #8313
2021-03-20 19:15:11 +01:00
Bjørn Erik Pedersen
18074d0c23 Fix output format handling for render hooks
Fixes #8176
2021-03-09 13:26:39 +01:00
Bjørn Erik Pedersen
aed7df62a8 markup: Handle attribute lists in code fences
Fixes #8278
2021-02-24 11:16:06 +01:00
Bjørn Erik Pedersen
cd0c5d7ef3 Allow markdown attribute lists to be used in title render hooks
Fixes #8270
2021-02-23 18:08:39 +01:00
gzagatti
01dd7c16af Fixes #7698.
markup: Allow installed arbitrary Asciidoc extension via path validation.
2021-02-22 13:52:04 +01:00
Bjørn Erik Pedersen
e6dd312812
markup/goldmark: Fix handling of legacy attribute config
See #7548
2021-02-09 09:23:18 +01:00
Bjørn Erik Pedersen
2681633db8 markup/goldmark: Add attributes support for blocks (tables etc.)
E.g.:

```
> foo
> bar
{.myclass}
```

There are some current limitations: For tables you can currently only apply it to the full table, and for lists the ul/ol-nodes only, e.g.:

```
* Fruit
  * Apple
  * Orange
  * Banana
  {.fruits}
* Dairy
  * Milk
  * Cheese
  {.dairies}
{.list}
```

Fixes #7548
2021-02-08 19:52:55 +01:00
Niklas Fasching
212e5e5542 deps: Update go-org to v1.4.0
- Add support for pretty urls [1]. Rewrite file links:
  1. replace the `.org` extension with `/` (`/foo.org` -> `/foo/`)
  2. prefix unrooted links with `../` as relative links start in the fake
  subdirectory `/foo/` rather than `/`
- Fix case-sensitivity of org drawer `🔚`

[1] https://gohugo.io/content-management/urls/#pretty-urls
2021-01-02 22:29:06 +01:00
Bjørn Erik Pedersen
4fdec67b11
rst: Adjust log level 2021-01-01 11:50:13 +01:00
Bjørn Erik Pedersen
cea1574023
Add Dart Sass support
But note that the Dart Sass Embedded Protocol is still in beta (beta 5), a main release scheduled for Q1 2021.

Fixes #7380
Fixes #8102
2020-12-30 17:32:25 +01:00
Bjørn Erik Pedersen
10ae7c3210
Improve LookPath 2020-12-19 17:03:07 +01:00
Phil Davis
04b89857e1
all: Fix minor typos 2020-12-16 12:11:32 +01:00
Bjørn Erik Pedersen
d90e37e0c6 all: Format code with gofumpt
See https://github.com/mvdan/gofumpt
2020-12-03 13:12:58 +01:00
Bjørn Erik Pedersen
e442cf30a2 Fix server rebuild issue with partials referenced from render hooks
Fixes #7990
2020-11-26 20:41:54 +01:00
Bjørn Erik Pedersen
b298c06e05
deps: Update to Chroma v0.8.2
Closes #7970
2020-11-20 09:30:05 +01:00
Bjørn Erik Pedersen
fdfa4a5fe6 Allow getJSON errors to be ignored
This change is mostly motivated to get a more stable CI build (we're building the Hugo site there, with Instagram and Twitter shortcodes sometimes failing).

Fixes #7866
2020-10-22 09:09:29 +02:00
Cameron Moore
14bce18a6c highlight: Avoid making unnecessary allocation
Avoid creating a local copy of the highlight configuration when no
options are passed.

Benchmarks of building the docs site:

name        old time/op    new time/op    delta
DocsSite-2     1.94s ± 4%     1.93s ± 4%    ~     (p=0.841 n=5+5)

name        old alloc/op   new alloc/op   delta
DocsSite-2     666MB ± 1%     656MB ± 0%  -1.48%  (p=0.008 n=5+5)

name        old allocs/op  new allocs/op  delta
DocsSite-2     8.85M ± 0%     8.76M ± 0%  -1.04%  (p=0.029 n=4+4)
2020-10-16 21:14:02 +02:00
Helder Pereira
8e553dcdef markup/asciidocext: Add preserveTOC option 2020-09-17 10:50:25 +02:00
Fernando Jorge Mota
fb0f2cc718
markup/highlight: Add support to linkable line anchors on Chroma
Fixes #7622
2020-09-13 11:00:16 +02:00
Bjørn Erik Pedersen
b7fa3c4bba
deps: Update to Goldmark v1.2.1 2020-09-11 07:49:35 +02:00
Helder Pereira
6a848cbc3a markup/asciidocext: Fix AsciiDoc TOC with code
Fixes #7649
2020-09-10 21:53:13 +02:00
Bjørn Erik Pedersen
4949bdc2ef
markup/asciidocext: Fix broken test 2020-09-08 10:00:57 +02:00
Bjørn Erik Pedersen
dcf25c0b49
markup/asciidocext: Revert trace=true 2020-09-07 21:44:11 +02:00
Nicolas Piganeau
3ba7c92530 markup/asciidoc: Add support for .TableOfContents
Fill the .TableOfContents template variable when writing Asciidoc content.
This is done by letting Asciidoc render its TOC as HTML, then extract this
HTML rendered TOC, parse it into a tableofcontents.Root and finally remove
it from the HTML content.
This aims to stay in the logic that the Asciidoc parsing is entirely done
by the external helper.

See #1687
2020-09-06 11:34:32 +02:00
Bjørn Erik Pedersen
19ef27b98e
markup/goldmark: Add a test case
Updates #7619
2020-09-04 10:23:02 +02:00
Aurken Bilbao
ad01aea3f4 Fixed misspelled words 2020-08-20 22:34:35 +02:00
Helder Pereira
45c665d396
Fix Asciidoctor args
* Fix Asciidoctor args

* Fix Asciidoctor args documentation

* Update AsciiDoc documentation

Co-authored-by: Derk Muenchhausen <derk@muenchhausen.de>

Fixes #7493
2020-07-23 15:59:48 +02:00
Joe Mooring
58c0f5e617 Remove trailing hyphen from auto heading ID
Applicable when autoHeadingIDType is either `github` or `github-ascii`.

When autoHeadingIDType is `blackfriday`, the existing code removes
trailing whitespace while iterating through the characters, using
a boolean "futureDash" mechanism.

Fixes #6798
2020-07-05 14:13:02 +02:00
Bryan Klein
beb6c03bc8 Update config.go to add two Asciidoctor extensions
Added two common extensions to allow my Hugo+Asciidoctor site to build with the new configuration.
2020-07-02 07:57:43 +02:00
Niklas Fasching
2d42ba912b deps: Update go-org to v1.2.0
- Add support for #+MACRO
- fix a bug with #+LINK (edge case, should never happen anyways :TM:)
- Make title export optional (add export option)
- Remove cosmetic whitespace added by go-org (for easier visual
  diffing) inside p tags (<p>\nfoo\n</p> => <p>foo</p>)
  (should make `white-space: pre` on p look more in line with expectations)
- implement table separators via multiple tbodies (the html spec is ok with
  that)
2020-06-27 13:28:01 +02:00
Derk Muenchhausen
f0266e2ef3
Rework external asciidoctor integration
This commit solves the relative path problem with asciidoctor tooling. An include will resolve relatively, so you can refer easily to files in the same folder.

Also `asciidoctor-diagram` and PlantUML rendering works now, because the created temporary files will be placed in the correct folder.

This patch covers just the Ruby version of asciidoctor. The old AsciiDoc CLI EOLs in Jan 2020, so this variant is removed from code.

The configuration is completely rewritten and now available in `config.toml` under the key `[markup.asciidocext]`:

```toml
[markup.asciidocext]
    extensions = ["asciidoctor-html5s", "asciidoctor-diagram"]
    workingFolderCurrent = true
    trace = true
    [markup.asciidocext.attributes]
        my-base-url = "https://example.com/"
        my-attribute-name = "my value"
```

- backends, safe-modes, and extensions are now whitelisted to the popular (ruby) extensions and valid values.
- the default for extensions is to not enable any, because they're all external dependencies so the build would break if the user didn't install them beforehand.
- the default backend is html5 because html5s is an external gem dependency.
- the default safe-mode is safe, explanations of the modes: https://asciidoctor.org/man/asciidoctor/
- the config is namespaced under asciidocext_config and the parser looks at asciidocext to allow a future native Go asciidoc.
- `uglyUrls=true` option and `--source` flag are supported
- `--destination` flag is required

Follow the updated documentation under `docs/content/en/content-management/formats.md`. 
  
This patch would be a breaking change, because you need to correct all your absolute include pathes to relative paths, so using relative paths must be configured explicitly by setting `workingFolderCurrent = true`.
2020-06-25 09:51:33 +02:00
Eli W. Hunter
423b8f2fb8 Add render template hooks for headings
This commit also

* Renames previous types to be non-specific. (e.g. hookedRenderer rather
  than linkRenderer)

Resolves #6713
2020-05-15 21:12:43 +02:00
Niklas Fasching
2b28e5a9cb deps: Update go-org to v1.1.0
- inline source blocks and exports
- result blocks and source block :exports parameter
- fix: html escaping in example blocks
- #+LINK based links
2020-04-17 22:07:52 +02:00
Bjørn Erik Pedersen
7204b354a9 Some minify configuration adjustments 2020-03-20 20:35:57 +01:00
SatowTakeshi
574c2959b8 Add minify config
Fixes #6750
Updates #6892
2020-03-20 20:35:57 +01:00
Elliott Sales de Andrade
52c159c452 Update to goldmark 1.1.25.
This fixes a bug, so there's a small change to tests.
2020-03-19 12:26:19 +01:00
satotake
ca68abf0bc
Fix goldmark toc rendering
Previously gordmark-based TOC renderes only `KindText` and `KindString`

This commit expands target node with Goldmark's renderer

I am not sure of what are expected results as TOC contents in some (rare) cases
but Blackfriday's behaviours are fundamentally respected.

For example,
- image `[image text](link)` is rendered as `<img>` tag
- GFM AutoLink `gohugo.io` is rendered as text

* Render AutoLink as <a> tag as Blackfriday does

Fixes #6736
Fixes #6809
2020-02-22 18:06:30 +01:00
Bjørn Erik Pedersen
19e12caf8c
Fix RenderString for pages without content
Fixes #6882
2020-02-18 14:08:59 +01:00
satotake
3c568ad013
markup/highlight: Fix chroma highlight
* Use chroma.Coalesce
* Escape code strings if lexer is nil

Fixes #6877
Fixes #6856
2020-02-17 14:59:26 +01:00
Matt Riggott
d3e8ab2e39 deps: Update Goldmark to v1.1.21
This is the first version of Goldmark that supports all the
Smartypants-style typographic punctuation transformations. Now, a
straight single quote in the middle of a word is translated into a curly
quote (e.g. "that's" becomes "that&rsquo;s"). Earlier versions leave
them untouched. This brings Goldmark in line with Blackfriday.

Fixes #6571.
2020-01-15 12:07:25 +01:00