f4389e48ce
This ommmit contains some security hardening measures for the Hugo build runtime. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers". For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off. You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do. The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all. ```toml [security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*'] ``` |
||
---|---|---|
.. | ||
.github | ||
_vendor | ||
archetypes | ||
config | ||
content | ||
data | ||
layouts | ||
resources | ||
src | ||
static | ||
.editorconfig | ||
.gitignore | ||
.markdownlint.yaml | ||
config.toml | ||
go.mod | ||
go.sum | ||
hugo_stats.json | ||
LICENSE.md | ||
netlify.toml | ||
pull-theme.sh | ||
README.md |
Hugo Docs
Documentation site for Hugo, the very fast and flexible static site generator built with love in Go.
Contributing
We welcome contributions to Hugo of any kind including documentation, suggestions, bug reports, pull requests etc. Also check out our contribution guide. We would love to hear from you.
Note that this repository contains solely the documentation for Hugo. For contributions that aren't documentation-related please refer to the hugo repository.
Pull requests shall only contain changes to the actual documentation. However, changes on the code base of Hugo and the documentation shall be a single, atomic pull request in the hugo repository.
Spelling fixes are most welcomed, and if you want to contribute longer sections to the documentation, it would be great if you had the following criteria in mind when writing:
- Short is good. People go to the library to read novels. If there is more than one way to do a thing in Hugo, describe the current best practice (avoid "… but you can also do …" and "… in older versions of Hugo you had to …".
- For example, try to find short snippets that teaches people about the concept. If the example is also useful as-is (copy and paste), then great. Don't list long and similar examples just so people can use them on their sites.
- Hugo has users from all over the world, so easy to understand and simple English is good.
Branches
- The
master
branch is where the site is automatically built from, and is the place to put changes relevant to the current Hugo version. - The
next
branch is where we store changes that are related to the next Hugo release. This can be previewed here: https://next--gohugoio.netlify.com/
Build
To view the documentation site locally, you need to clone this repository:
git clone https://github.com/gohugoio/hugoDocs.git
Also note that the documentation version for a given version of Hugo can also be found in the /docs
sub-folder of the Hugo source repository.
Then to view the docs in your browser, run Hugo and open up the link:
▶ hugo server
Started building sites ...
.
.
Serving pages from memory
Web Server is available at http://localhost:1313/ (bind address 127.0.0.1)
Press Ctrl+C to stop