diff options
-rw-r--r-- | markup/goldmark/integration_test.go | 40 | ||||
-rw-r--r-- | markup/goldmark/render_hooks.go | 3 |
2 files changed, 40 insertions, 3 deletions
diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go index 0f47f4ada..eda2ac423 100644 --- a/markup/goldmark/integration_test.go +++ b/markup/goldmark/integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/gohugoio/hugo/hugolib" ) +// Issue 9463 func TestAttributeExclusion(t *testing.T) { t.Parallel() @@ -55,9 +56,42 @@ foo ).Build() b.AssertFileContent("public/p1/index.html", ` -<h2 class="a" id="heading"> -<blockquote class="b"> -<div class="highlight" id="c"> + <h2 class="a" id="heading"> + <blockquote class="b"> + <div class="highlight" id="c"> + `) +} + +// Issue 9511 +func TestAttributeExclusionWithRenderHook(t *testing.T) { + t.Parallel() + + files := ` +-- content/p1.md -- +--- +title: "p1" +--- +## Heading {onclick="alert('renderhook')" data-foo="bar"} +-- layouts/_default/single.html -- +{{ .Content }} +-- layouts/_default/_markup/render-heading.html -- +<h{{ .Level }} + {{- range $k, $v := .Attributes -}} + {{- printf " %s=%q" $k $v | safeHTMLAttr -}} + {{- end -}} +>{{ .Text | safeHTML }}</h{{ .Level }}> +` + + b := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + NeedsOsFS: false, + }, + ).Build() + + b.AssertFileContent("public/p1/index.html", ` + <h2 data-foo="bar" id="heading">Heading</h2> `) } diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go index 5c600204c..1862c2125 100644 --- a/markup/goldmark/render_hooks.go +++ b/markup/goldmark/render_hooks.go @@ -57,6 +57,9 @@ func (a *attributesHolder) Attributes() map[string]string { a.attributesInit.Do(func() { a.attributes = make(map[string]string) for _, attr := range a.astAttributes { + if strings.HasPrefix(string(attr.Name), "on") { + continue + } a.attributes[string(attr.Name)] = string(util.EscapeHTML(attr.Value.([]byte))) } }) |