Also handle inline HTML comments

2025-01-21 18:52:58 +01:00 · 2025-01-21 18:52:58 +01:00 · 637995ba8f
commit 637995ba8f
parent f1de5d2a04
2 changed files with 33 additions and 10 deletions
--- a/markup/goldmark/goldmark_integration_test.go
+++ b/markup/goldmark/goldmark_integration_test.go
@ -885,10 +885,27 @@ title: "p1"
 <img border="0" src="pic_trulli.jpg" alt="Trulli">
 -->

-XSS 
+## XSS 

 <!-- --><script>alert("I just escaped the HTML comment")</script><!-- -->

+
+## More
+
+This is a <!--hidden--> word.
+
+This is a <!-- hidden--> word.
+
+This is a <!-- hidden --> word.
+
+This is a <!-- 
+hidden --> word.
+
+This is a <!-- 
+hidden
+--> word.
+
+
 -- layouts/_default/single.html --
 {{ .Content }}
 `
--- a/markup/goldmark/hugocontext/hugocontext.go
+++ b/markup/goldmark/hugocontext/hugocontext.go
@ -169,14 +169,16 @@ func (r *hugoContextRenderer) getPage(w util.BufWriter) any {
 	return p
 }

+func (r *hugoContextRenderer) isHTMLComment(b []byte) bool {
+	return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
+}
+
 // HTML rendering based on Goldmark implementation.
 func (r *hugoContextRenderer) renderHTMLBlock(
 	w util.BufWriter, source []byte, node ast.Node, entering bool,
 ) (ast.WalkStatus, error) {
 	n := node.(*ast.HTMLBlock)
-	isHTMLComment := func(b []byte) bool {
-		return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
-	}
+
 	if entering {
 		if r.Unsafe {
 			l := n.Lines().Len()
@ -193,7 +195,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
 		} else {
 			l := n.Lines().At(0)
 			v := l.Value(source)
-			if !isHTMLComment(v) {
+			if !r.isHTMLComment(v) {
 				r.logRawHTMLEmittedWarn(w)
 				_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
 			}
@ -206,7 +208,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
 			} else {
 				l := n.Lines().At(0)
 				v := l.Value(source)
-				if !isHTMLComment(v) {
+				if !r.isHTMLComment(v) {
 					_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
 				}
 			}
@ -221,17 +223,21 @@ func (r *hugoContextRenderer) renderRawHTML(
 	if !entering {
 		return ast.WalkSkipChildren, nil
 	}
+	n := node.(*ast.RawHTML)
+	l := n.Segments.Len()
 	if r.Unsafe {
-		n := node.(*ast.RawHTML)
-		l := n.Segments.Len()
 		for i := 0; i < l; i++ {
 			segment := n.Segments.At(i)
 			_, _ = w.Write(segment.Value(source))
 		}
 		return ast.WalkSkipChildren, nil
 	}
-	r.logRawHTMLEmittedWarn(w)
-	_, _ = w.WriteString("<!-- raw HTML omitted -->")
+	segment := n.Segments.At(0)
+	v := segment.Value(source)
+	if !r.isHTMLComment(v) {
+		r.logRawHTMLEmittedWarn(w)
+		_, _ = w.WriteString("<!-- raw HTML omitted -->")
+	}
 	return ast.WalkSkipChildren, nil
 }