Allow whitelisting mediaTypes used in resources.GetRemote

Fixes #10286

2 files changed, 25 insertions, 3 deletions

diff --git a/hugolib/securitypolicies_test.go b/hugolib/securitypolicies_test.go
index aa062bb1f..5b9267b59 100644
--- a/hugolib/securitypolicies_test.go
+++ b/hugolib/securitypolicies_test.go
@@ -138,9 +138,9 @@ func TestSecurityPolicies(t *testing.T) {
 		}
 		cb := func(b *sitesBuilder) {
 			b.WithConfigFile("toml", `
-			[security]
-			[security.exec]
-			allow="none"	
+[security]
+[security.exec]
+allow="none"	
 		
 			`)
 			b.WithTemplatesAdded("index.html", `{{ $scss := "body { color: #333; }" | resources.FromString "foo.scss"  | resources.ToCSS (dict "transpiler" "dartsass") }}`)
@@ -170,6 +170,28 @@ urls="none"
 			})
 	})
 
+	c.Run("resources.GetRemote, fake JSON", func(c *qt.C) {
+		c.Parallel()
+		httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, `(?s).*failed to resolve media type.*`,
+			func(b *sitesBuilder) {
+				b.WithConfigFile("toml", `
+`)
+			})
+	})
+
+	c.Run("resources.GetRemote, fake JSON whitelisted", func(c *qt.C) {
+		c.Parallel()
+		httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, ``,
+			func(b *sitesBuilder) {
+				b.WithConfigFile("toml", `
+[security]		
+[security.http]
+mediaTypes=["application/json"]
+
+`)
+			})
+	})
+
 	c.Run("getJSON, OK", func(c *qt.C) {
 		c.Parallel()
 		httpTestVariant(c, `{{ $json := getJSON "%[1]s/fruits.json" }}{{ $json.Content }}`, "", nil)
diff --git a/hugolib/testdata/fakejson.json b/hugolib/testdata/fakejson.json
new file mode 100644
index 000000000..f191b280c
--- /dev/null
+++ b/hugolib/testdata/fakejson.json