tpl: Escape .Title in built-in image and link render hooks

Co-authored-by: Joe Mooring <joe@mooring.com>
gohugoio · Apr 22, 2024 · 15a4b9b · 15a4b9b
1 parent 10a8448
commit 15a4b9b
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/.hugo_build.lock b/.hugo_build.lock
diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go
@@ -14,6 +14,7 @@
 package hugolib
 
 import (
+	"fmt"
 	"strings"
 	"testing"
 )
@@ -241,3 +242,52 @@ iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAA
 			"p1|<p><a href=\"p2\">P2</a>", "<img src=\"pixel.png\" alt=\"Pixel\">")
 	})
 }
+
+func TestRenderHooksDefaultEscape(t *testing.T) {
+	files := `
+-- hugo.toml --
+[markup.goldmark.renderHooks]
+[markup.goldmark.renderHooks.image]
+  enableDefault = ENABLE
+[markup.goldmark.renderHooks.link]
+enableDefault = ENABLE
+[markup.goldmark.parser]
+wrapStandAloneImageWithinParagraph = false
+[markup.goldmark.parser.attribute]
+block = true
+title = true
+-- content/_index.md --
+---
+title: "Home"
+---
+Link: [text-"<>&](/destination-"<> 'title-"<>&')
+
+Image: ![alt-"<>&](/destination-"<> 'title-"<>&')
+{class="><script>alert()</script>" id="baz"}
+
+-- layouts/index.html --
+{{ .Content }}
+`
+
+	for _, enabled := range []bool{true, false} {
+		enabled := enabled
+		t.Run(fmt.Sprint(enabled), func(t *testing.T) {
+			t.Parallel()
+			b := Test(t, strings.ReplaceAll(files, "ENABLE", fmt.Sprint(enabled)))
+
+			// The escaping is slightly different between the two.
+			if enabled {
+				b.AssertFileContent("public/index.html",
+					"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+					"img alt=\"alt-&quot;&lt;&gt;&amp;\" src=\"/destination-%22%3C%3E\" title=\"title-&#34;&lt;&gt;&amp;\">",
+					"&gt;&lt;script&gt;",
+				)
+			} else {
+				b.AssertFileContent("public/index.html",
+					"Link: <a href=\"/destination-%22%3C%3E\" title=\"title-&quot;&lt;&gt;&amp;\">text-&quot;&lt;&gt;&amp;</a>",
+					"Image: <img src=\"/destination-%22%3C%3E\" alt=\"alt-&quot;&lt;&gt;&amp;\" title=\"title-&quot;&lt;&gt;&amp;\">",
+				)
+			}
+		})
+	}
+}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
@@ -5,7 +5,7 @@
     {{- $src = .RelPermalink -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
+{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
 <img
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}

diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
@@ -17,7 +17,7 @@
     {{- end -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := dict "href" $href "title" .Title -}}
+{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
 <a
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}