commit ff545f4276d45aa8dc498e21c577d09b5b2307b6
parent b2a827c52c91d9219306b5c996074d2e1ced5342
Author: Joe Mooring <joe.mooring@veriphor.com>
Date: Wed, 16 Feb 2022 10:56:23 -0800
markup/goldmark: Exclude event attributes from markdown render hook
Fixes #9511
Diffstat:
2 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go
@@ -20,6 +20,7 @@ import (
"github.com/gohugoio/hugo/hugolib"
)
+// Issue 9463
func TestAttributeExclusion(t *testing.T) {
t.Parallel()
@@ -55,9 +56,42 @@ foo
).Build()
b.AssertFileContent("public/p1/index.html", `
-<h2 class="a" id="heading">
-<blockquote class="b">
-<div class="highlight" id="c">
+ <h2 class="a" id="heading">
+ <blockquote class="b">
+ <div class="highlight" id="c">
+ `)
+}
+
+// Issue 9511
+func TestAttributeExclusionWithRenderHook(t *testing.T) {
+ t.Parallel()
+
+ files := `
+-- content/p1.md --
+---
+title: "p1"
+---
+## Heading {onclick="alert('renderhook')" data-foo="bar"}
+-- layouts/_default/single.html --
+{{ .Content }}
+-- layouts/_default/_markup/render-heading.html --
+<h{{ .Level }}
+ {{- range $k, $v := .Attributes -}}
+ {{- printf " %s=%q" $k $v | safeHTMLAttr -}}
+ {{- end -}}
+>{{ .Text | safeHTML }}</h{{ .Level }}>
+`
+
+ b := hugolib.NewIntegrationTestBuilder(
+ hugolib.IntegrationTestConfig{
+ T: t,
+ TxtarString: files,
+ NeedsOsFS: false,
+ },
+ ).Build()
+
+ b.AssertFileContent("public/p1/index.html", `
+ <h2 data-foo="bar" id="heading">Heading</h2>
`)
}
diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go
@@ -57,6 +57,9 @@ func (a *attributesHolder) Attributes() map[string]string {
a.attributesInit.Do(func() {
a.attributes = make(map[string]string)
for _, attr := range a.astAttributes {
+ if strings.HasPrefix(string(attr.Name), "on") {
+ continue
+ }
a.attributes[string(attr.Name)] = string(util.EscapeHTML(attr.Value.([]byte)))
}
})