From: Joe Mooring Date: Wed, 16 Feb 2022 18:56:23 +0000 (-0800) Subject: markup/goldmark: Exclude event attributes from markdown render hook X-Git-Tag: v0.93.0~52 X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=ff545f4276d45aa8dc498e21c577d09b5b2307b6;p=brevno-suite%2Fhugo markup/goldmark: Exclude event attributes from markdown render hook Fixes #9511 --- diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go index 0f47f4ad..eda2ac42 100644 --- a/markup/goldmark/integration_test.go +++ b/markup/goldmark/integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/gohugoio/hugo/hugolib" ) +// Issue 9463 func TestAttributeExclusion(t *testing.T) { t.Parallel() @@ -55,9 +56,42 @@ foo ).Build() b.AssertFileContent("public/p1/index.html", ` -

-
-
+

+
+
+ `) +} + +// Issue 9511 +func TestAttributeExclusionWithRenderHook(t *testing.T) { + t.Parallel() + + files := ` +-- content/p1.md -- +--- +title: "p1" +--- +## Heading {onclick="alert('renderhook')" data-foo="bar"} +-- layouts/_default/single.html -- +{{ .Content }} +-- layouts/_default/_markup/render-heading.html -- +{{ .Text | safeHTML }} +` + + b := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + NeedsOsFS: false, + }, + ).Build() + + b.AssertFileContent("public/p1/index.html", ` +

Heading

`) } diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go index 5c600204..1862c212 100644 --- a/markup/goldmark/render_hooks.go +++ b/markup/goldmark/render_hooks.go @@ -57,6 +57,9 @@ func (a *attributesHolder) Attributes() map[string]string { a.attributesInit.Do(func() { a.attributes = make(map[string]string) for _, attr := range a.astAttributes { + if strings.HasPrefix(string(attr.Name), "on") { + continue + } a.attributes[string(attr.Name)] = string(util.EscapeHTML(attr.Value.([]byte))) } })