Add some basic security policies with sensible defaults

This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```

4 files changed, 71 insertions, 4 deletions

diff --git a/docs/config/_default/security.toml b/docs/config/_default/security.toml
new file mode 100644
index 000000000..73af66164
--- /dev/null
+++ b/docs/config/_default/security.toml
@@ -0,0 +1,13 @@
+
+  enableInlineShortcodes = false
+
+  [exec]
+    allow = ['^go$']
+    osEnv = ['^PATH$']
+
+  [funcs]
+    getenv = ['^HUGO_', '^REPOSITORY_URL$']
+
+  [http]
+    methods = ['(?i)GET|POST']
+    urls = ['.*']
\ No newline at end of file
diff --git a/docs/content/en/about/security-model/index.md b/docs/content/en/about/security-model/index.md
index 7a7841131..aed925d49 100644
--- a/docs/content/en/about/security-model/index.md
+++ b/docs/content/en/about/security-model/index.md
@@ -21,14 +21,29 @@ Hugo produces static output, so once built, the runtime is the browser (assuming
 
 But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
 
-**Hugo's main approach is that of sandboxing:**
+**Hugo's main approach is that of sandboxing and a security policy with strict defaults:**
 
 * Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
 * Only the main project can walk symbolic links.
 * User-defined components have only read-access to the filesystem.
-* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
+* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
 
-Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.
+
+## Security Policy
+
+{{< new-in "0.91.0" >}}
+
+Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
+
+The defdault configuration is listed below. And build using features not whitelisted in the security policy will faill with a detailed message about what needs to be done. Most of these settings are whitelists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
+
+{{< code-toggle config="security" />}}
+
+Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
+
+```
+HUGO_SECURITY_HTTP_URLS=none hugo 
+```
 
 ## Dependency Security
 
diff --git a/docs/content/en/getting-started/configuration.md b/docs/content/en/getting-started/configuration.md
index 0f48c39e3..2123558d9 100644
--- a/docs/content/en/getting-started/configuration.md
+++ b/docs/content/en/getting-started/configuration.md
@@ -381,6 +381,10 @@ Maximum number of items in the RSS feed.
 ### sectionPagesMenu
 See ["Section Menu for Lazy Bloggers"](/templates/menu-templates/#section-menu-for-lazy-bloggers).
 
+### security
+
+See [Security Policy](/about/security-model/#security-policy)
+
 ### sitemap
 Default [sitemap configuration](/templates/sitemap-template/#configure-sitemapxml).
 
diff --git a/docs/data/docs.json b/docs/data/docs.json
index 70a2eafb4..8f8950dc4 100644
--- a/docs/data/docs.json
+++ b/docs/data/docs.json
@@ -1775,9 +1775,15 @@
       "permalinks": {
         "_merge": "none"
       },
+      "privacy": {
+        "_merge": "none"
+      },
       "related": {
         "_merge": "none"
       },
+      "security": {
+        "_merge": "none"
+      },
       "sitemap": {
         "_merge": "none"
       },
@@ -1822,6 +1828,32 @@
           "keepWhitespace": false
         }
       }
+    },
+    "security": {
+      "enableInlineShortcodes": false,
+      "exec": {
+        "allow": [
+          "^go$",
+          "^npx$",
+          "^postcss$"
+        ],
+        "osEnv": [
+          "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"
+        ]
+      },
+      "funcs": {
+        "getenv": [
+          "^HUGO_"
+        ]
+      },
+      "http": {
+        "methods": [
+          "(?i)GET|POST"
+        ],
+        "urls": [
+          ".*"
+        ]
+      }
     }
   },
   "media": {
@@ -1966,7 +1998,10 @@
         "string": "image/jpeg",
         "suffixes": [
           "jpg",
-          "jpeg"
+          "jpeg",
+          "jpe",
+          "jif",
+          "jfif"
         ]
       },
       {