quentin/hugo-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Also handle inline HTML comments

Browse source
This commit is contained in:
Bjørn Erik Pedersen 2025-01-21 18:52:58 +01:00
parent f1de5d2a04
commit 637995ba8f
2 changed files with 33 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
markup/goldmark/goldmark_integration_test.go
View file

@ -885,10 +885,27 @@ title: "p1"
<img border="0" src="pic_trulli.jpg" alt="Trulli"> <img border="0" src="pic_trulli.jpg" alt="Trulli">
--> -->
XSS ## XSS
<!-- --><script>alert("I just escaped the HTML comment")</script><!-- --> <!-- --><script>alert("I just escaped the HTML comment")</script><!-- -->
## More
This is a <!--hidden--> word.
This is a <!-- hidden--> word.
This is a <!-- hidden --> word.
This is a <!--
hidden --> word.
This is a <!--
hidden
--> word.
-- layouts/_default/single.html -- -- layouts/_default/single.html --
{{ .Content }} {{ .Content }}
` `

24
markup/goldmark/hugocontext/hugocontext.go
View file

@ -169,14 +169,16 @@ func (r *hugoContextRenderer) getPage(w util.BufWriter) any {
return p return p
} }
func (r *hugoContextRenderer) isHTMLComment(b []byte) bool {
return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
}
// HTML rendering based on Goldmark implementation. // HTML rendering based on Goldmark implementation.
func (r *hugoContextRenderer) renderHTMLBlock( func (r *hugoContextRenderer) renderHTMLBlock(
w util.BufWriter, source []byte, node ast.Node, entering bool, w util.BufWriter, source []byte, node ast.Node, entering bool,
) (ast.WalkStatus, error) { ) (ast.WalkStatus, error) {
n := node.(*ast.HTMLBlock) n := node.(*ast.HTMLBlock)
isHTMLComment := func(b []byte) bool {
return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
}
if entering { if entering {
if r.Unsafe { if r.Unsafe {
l := n.Lines().Len() l := n.Lines().Len()
@ -193,7 +195,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
} else { } else {
l := n.Lines().At(0) l := n.Lines().At(0)
v := l.Value(source) v := l.Value(source)
if !isHTMLComment(v) { if !r.isHTMLComment(v) {
r.logRawHTMLEmittedWarn(w) r.logRawHTMLEmittedWarn(w)
_, _ = w.WriteString("<!-- raw HTML omitted -->\n") _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
} }
@ -206,7 +208,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
} else { } else {
l := n.Lines().At(0) l := n.Lines().At(0)
v := l.Value(source) v := l.Value(source)
if !isHTMLComment(v) { if !r.isHTMLComment(v) {
_, _ = w.WriteString("<!-- raw HTML omitted -->\n") _, _ = w.WriteString("<!-- raw HTML omitted -->\n")
} }
} }
@ -221,17 +223,21 @@ func (r *hugoContextRenderer) renderRawHTML(
if !entering { if !entering {
return ast.WalkSkipChildren, nil return ast.WalkSkipChildren, nil
} }
n := node.(*ast.RawHTML)
l := n.Segments.Len()
if r.Unsafe { if r.Unsafe {
n := node.(*ast.RawHTML)
l := n.Segments.Len()
for i := 0; i < l; i++ { for i := 0; i < l; i++ {
segment := n.Segments.At(i) segment := n.Segments.At(i)
_, _ = w.Write(segment.Value(source)) _, _ = w.Write(segment.Value(source))
} }
return ast.WalkSkipChildren, nil return ast.WalkSkipChildren, nil
} }
r.logRawHTMLEmittedWarn(w) segment := n.Segments.At(0)
_, _ = w.WriteString("<!-- raw HTML omitted -->") v := segment.Value(source)
if !r.isHTMLComment(v) {
r.logRawHTMLEmittedWarn(w)
_, _ = w.WriteString("<!-- raw HTML omitted -->")
}
return ast.WalkSkipChildren, nil return ast.WalkSkipChildren, nil
} }