From 01dd7c16af6204d18d530f9d3018689215482170 Mon Sep 17 00:00:00 2001
From: gzagatti <gzagatti@users.noreply.github.com>
Date: Mon, 11 Jan 2021 16:46:31 +0800
Subject: Fixes #7698.

markup: Allow installed arbitrary Asciidoc extension via path validation.
---
 docs/content/en/content-management/formats.md | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'docs')

diff --git a/docs/content/en/content-management/formats.md b/docs/content/en/content-management/formats.md
index 576ce2fa3..5654be7f0 100644
--- a/docs/content/en/content-management/formats.md
+++ b/docs/content/en/content-management/formats.md
@@ -100,6 +100,8 @@ Below are all the AsciiDoc related settings in Hugo with their default values:
 
 {{< code-toggle config="markup.asciidocExt" />}}
 
+Notice that for security concerns only extensions that do not have path separators (either `\`, `/` or `.`) are allowed. That means that extensions can only be invoked if they are in one's ruby's `$LOAD_PATH` (ie. most likely, the extension has been installed by the user). Any extension declared relative to the website's path will not be accepted.
+
 Example of how to set extensions and attributes:
 
 ```
-- 
cgit v1.2.3