diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go index 0f47f4adabd..eda2ac4233e 100644 --- a/markup/goldmark/integration_test.go +++ b/markup/goldmark/integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/gohugoio/hugo/hugolib" ) +// Issue 9463 func TestAttributeExclusion(t *testing.T) { t.Parallel() @@ -55,9 +56,42 @@ foo ).Build() b.AssertFileContent("public/p1/index.html", ` -
-++
++ `) +} + +// Issue 9511 +func TestAttributeExclusionWithRenderHook(t *testing.T) { + t.Parallel() + + files := ` +-- content/p1.md -- +--- +title: "p1" +--- +## Heading {onclick="alert('renderhook')" data-foo="bar"} +-- layouts/_default/single.html -- +{{ .Content }} +-- layouts/_default/_markup/render-heading.html -- +{{ .Text | safeHTML }} +` + + b := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + NeedsOsFS: false, + }, + ).Build() + + b.AssertFileContent("public/p1/index.html", ` +Heading
`) } diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go index 5c600204cf9..1862c212543 100644 --- a/markup/goldmark/render_hooks.go +++ b/markup/goldmark/render_hooks.go @@ -57,6 +57,9 @@ func (a *attributesHolder) Attributes() map[string]string { a.attributesInit.Do(func() { a.attributes = make(map[string]string) for _, attr := range a.astAttributes { + if strings.HasPrefix(string(attr.Name), "on") { + continue + } a.attributes[string(attr.Name)] = string(util.EscapeHTML(attr.Value.([]byte))) } })