Skip to content

Commit 637995b

Browse files
bepbep
committed
Also handle inline HTML comments
1 parent f1de5d2 commit 637995b

File tree

2 files changed

+33
-10
lines changed

2 files changed

+33
-10
lines changed

‎markup/goldmark/goldmark_integration_test.go

+18-1
Original file line numberDiff line numberDiff line change
@@ -885,10 +885,27 @@ title: "p1"
885885
<img border="0" src="pic_trulli.jpg" alt="Trulli">
886886
-->
887887
888-
XSS
888+
## XSS
889889
890890
<!-- --><script>alert("I just escaped the HTML comment")</script><!-- -->
891891
892+
893+
## More
894+
895+
This is a <!--hidden--> word.
896+
897+
This is a <!-- hidden--> word.
898+
899+
This is a <!-- hidden --> word.
900+
901+
This is a <!--
902+
hidden --> word.
903+
904+
This is a <!--
905+
hidden
906+
--> word.
907+
908+
892909
-- layouts/_default/single.html --
893910
{{ .Content }}
894911
`

‎markup/goldmark/hugocontext/hugocontext.go

+15-9
Original file line numberDiff line numberDiff line change
@@ -169,14 +169,16 @@ func (r *hugoContextRenderer) getPage(w util.BufWriter) any {
169169
return p
170170
}
171171

172+
func (r *hugoContextRenderer) isHTMLComment(b []byte) bool {
173+
return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
174+
}
175+
172176
// HTML rendering based on Goldmark implementation.
173177
func (r *hugoContextRenderer) renderHTMLBlock(
174178
w util.BufWriter, source []byte, node ast.Node, entering bool,
175179
) (ast.WalkStatus, error) {
176180
n := node.(*ast.HTMLBlock)
177-
isHTMLComment := func(b []byte) bool {
178-
return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
179-
}
181+
180182
if entering {
181183
if r.Unsafe {
182184
l := n.Lines().Len()
@@ -193,7 +195,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
193195
} else {
194196
l := n.Lines().At(0)
195197
v := l.Value(source)
196-
if !isHTMLComment(v) {
198+
if !r.isHTMLComment(v) {
197199
r.logRawHTMLEmittedWarn(w)
198200
_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
199201
}
@@ -206,7 +208,7 @@ func (r *hugoContextRenderer) renderHTMLBlock(
206208
} else {
207209
l := n.Lines().At(0)
208210
v := l.Value(source)
209-
if !isHTMLComment(v) {
211+
if !r.isHTMLComment(v) {
210212
_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
211213
}
212214
}
@@ -221,17 +223,21 @@ func (r *hugoContextRenderer) renderRawHTML(
221223
if !entering {
222224
return ast.WalkSkipChildren, nil
223225
}
226+
n := node.(*ast.RawHTML)
227+
l := n.Segments.Len()
224228
if r.Unsafe {
225-
n := node.(*ast.RawHTML)
226-
l := n.Segments.Len()
227229
for i := 0; i < l; i++ {
228230
segment := n.Segments.At(i)
229231
_, _ = w.Write(segment.Value(source))
230232
}
231233
return ast.WalkSkipChildren, nil
232234
}
233-
r.logRawHTMLEmittedWarn(w)
234-
_, _ = w.WriteString("<!-- raw HTML omitted -->")
235+
segment := n.Segments.At(0)
236+
v := segment.Value(source)
237+
if !r.isHTMLComment(v) {
238+
r.logRawHTMLEmittedWarn(w)
239+
_, _ = w.WriteString("<!-- raw HTML omitted -->")
240+
}
235241
return ast.WalkSkipChildren, nil
236242
}
237243

0 commit comments

Comments
 (0)