From ff545f4276d45aa8dc498e21c577d09b5b2307b6 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Wed, 16 Feb 2022 10:56:23 -0800 Subject: [PATCH] markup/goldmark: Exclude event attributes from markdown render hook Fixes #9511 --- markup/goldmark/integration_test.go | 40 ++++++++++++++++++++++++++--- markup/goldmark/render_hooks.go | 3 +++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go index 0f47f4ada..eda2ac423 100644 --- a/markup/goldmark/integration_test.go +++ b/markup/goldmark/integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/gohugoio/hugo/hugolib" ) +// Issue 9463 func TestAttributeExclusion(t *testing.T) { t.Parallel() @@ -55,9 +56,42 @@ foo ).Build() b.AssertFileContent("public/p1/index.html", ` -

-
-
+

+
+
+ `) +} + +// Issue 9511 +func TestAttributeExclusionWithRenderHook(t *testing.T) { + t.Parallel() + + files := ` +-- content/p1.md -- +--- +title: "p1" +--- +## Heading {onclick="alert('renderhook')" data-foo="bar"} +-- layouts/_default/single.html -- +{{ .Content }} +-- layouts/_default/_markup/render-heading.html -- +{{ .Text | safeHTML }} +` + + b := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + NeedsOsFS: false, + }, + ).Build() + + b.AssertFileContent("public/p1/index.html", ` +

Heading

`) } diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go index 5c600204c..1862c2125 100644 --- a/markup/goldmark/render_hooks.go +++ b/markup/goldmark/render_hooks.go @@ -57,6 +57,9 @@ func (a *attributesHolder) Attributes() map[string]string { a.attributesInit.Do(func() { a.attributes = make(map[string]string) for _, attr := range a.astAttributes { + if strings.HasPrefix(string(attr.Name), "on") { + continue + } a.attributes[string(attr.Name)] = string(util.EscapeHTML(attr.Value.([]byte))) } })