Fixes #7698.

markup: Allow installed arbitrary Asciidoc extension via path validation.
author: gzagatti <gzagatti@users.noreply.github.com> 2021-01-11 16:46:31 +0800
committer: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> 2021-02-22 13:52:04 +0100
commit: 01dd7c16af6204d18d530f9d3018689215482170 (patch)
tree: 4020b7fc7f4d6e96b942d4800c00b82cad178ae9 /docs
parent: c8f45d1d861f596821afc068bd12eb1213aba5ce (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/docs/content/en/content-management/formats.md b/docs/content/en/content-management/formats.md
index 576ce2fa3..5654be7f0 100644
--- a/docs/content/en/content-management/formats.md
+++ b/docs/content/en/content-management/formats.md
@@ -100,6 +100,8 @@ Below are all the AsciiDoc related settings in Hugo with their default values:
 
 {{< code-toggle config="markup.asciidocExt" />}}
 
+Notice that for security concerns only extensions that do not have path separators (either `\`, `/` or `.`) are allowed. That means that extensions can only be invoked if they are in one's ruby's `$LOAD_PATH` (ie. most likely, the extension has been installed by the user). Any extension declared relative to the website's path will not be accepted.
+
 Example of how to set extensions and attributes:
 
 ```
author	gzagatti <gzagatti@users.noreply.github.com>	2021-01-11 16:46:31 +0800
committer	Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>	2021-02-22 13:52:04 +0100
commit	01dd7c16af6204d18d530f9d3018689215482170 (patch)
tree	4020b7fc7f4d6e96b942d4800c00b82cad178ae9 /docs
parent	c8f45d1d861f596821afc068bd12eb1213aba5ce (diff)