Do not warn on potentially unsafe HTML comments when unsafe=false - hugo - [fork] hugo port for 9front
HTML git clone git@git.drkhsh.at/hugo.git
DIR Log
DIR Files
DIR Refs
DIR Submodules
DIR README
DIR LICENSE
---
DIR commit f1de5d2a043ea2271419c0ff145e7f76044be7e8
DIR parent 4b0c194fb318bc8fa38ed021d161901b7f6f7f95
HTML Author: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Date: Tue, 21 Jan 2025 10:33:27 +0100
Do not warn on potentially unsafe HTML comments when unsafe=false
We will still not render these comments, so from a safety perspective this is the same, but HTML comments are very common also inside Markdown and too useful to throw away.
Updates #13278
Diffstat:
M markup/goldmark/goldmark_integrati… | 51 +++++++++++++++++++++++++++++++
M markup/goldmark/hugocontext/hugoco… | 17 ++++++++++++++---
2 files changed, 65 insertions(+), 3 deletions(-)
---
DIR diff --git a/markup/goldmark/goldmark_integration_test.go b/markup/goldmark/goldmark_integration_test.go
@@ -851,3 +851,54 @@ title: "p1"
b.AssertFileContent("public/p1/index.html", "! <!-- raw HTML omitted -->")
b.AssertLogContains("! WARN")
}
+
+// See https://github.com/gohugoio/hugo/issues/13278#issuecomment-2603280548
+func TestGoldmarkRawHTMLCommentNoWarning(t *testing.T) {
+ files := `
+-- hugo.toml --
+disableKinds = ['home','rss','section','sitemap','taxonomy','term']
+markup.goldmark.renderer.unsafe = false
+-- content/p1.md --
+---
+title: "p1"
+---
+# HTML comments
+
+## Simple
+<!-- This is a comment -->
+
+ <!-- This is a comment indented -->
+
+ **Hello**<!-- This is a comment indented with markup surrounding. -->_world_.
+## With HTML
+
+<!-- <p>This is another paragraph </p> -->
+
+## With HTML and JS
+
+<!-- <script>alert('hello');</script> -->
+
+## With Block
+
+<!--
+<p>Look at this cool image:</p>
+<img border="0" src="pic_trulli.jpg" alt="Trulli">
+-->
+
+XSS
+
+<!-- --><script>alert("I just escaped the HTML comment")</script><!-- -->
+
+-- layouts/_default/single.html --
+{{ .Content }}
+`
+
+ b := hugolib.Test(t, files, hugolib.TestOptWarn())
+
+ b.AssertFileContent("public/p1/index.html", "! <!-- raw HTML omitted -->")
+ b.AssertLogContains("! Raw HTML omitted")
+
+ b = hugolib.Test(t, strings.ReplaceAll(files, "markup.goldmark.renderer.unsafe = false", "markup.goldmark.renderer.unsafe = true"), hugolib.TestOptWarn())
+ b.AssertFileContent("public/p1/index.html", "<!-- This is a comment -->")
+ b.AssertLogContains("! WARN")
+}
DIR diff --git a/markup/goldmark/hugocontext/hugocontext.go b/markup/goldmark/hugocontext/hugocontext.go
@@ -174,6 +174,9 @@ func (r *hugoContextRenderer) renderHTMLBlock(
w util.BufWriter, source []byte, node ast.Node, entering bool,
) (ast.WalkStatus, error) {
n := node.(*ast.HTMLBlock)
+ isHTMLComment := func(b []byte) bool {
+ return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
+ }
if entering {
if r.Unsafe {
l := n.Lines().Len()
@@ -188,8 +191,12 @@ func (r *hugoContextRenderer) renderHTMLBlock(
r.Writer.SecureWrite(w, linev)
}
} else {
- r.logRawHTMLEmittedWarn(w)
- _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+ l := n.Lines().At(0)
+ v := l.Value(source)
+ if !isHTMLComment(v) {
+ r.logRawHTMLEmittedWarn(w)
+ _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+ }
}
} else {
if n.HasClosure() {
@@ -197,7 +204,11 @@ func (r *hugoContextRenderer) renderHTMLBlock(
closure := n.ClosureLine
r.Writer.SecureWrite(w, closure.Value(source))
} else {
- _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+ l := n.Lines().At(0)
+ v := l.Value(source)
+ if !isHTMLComment(v) {
+ _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+ }
}
}
}