-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html/template: backticks not treated as string delimiters (CVE-2023-24538) #59234
Comments
@gopherbot please open backport issues. |
Backport issue(s) opened: #59271 (for 1.19), #59272 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/481981 mentions this issue: |
Change https://go.dev/cl/481987 mentions this issue: |
Change https://go.dev/cl/481993 mentions this issue: |
Change https://go.dev/cl/482079 mentions this issue: |
…e literals ECMAScript 6 introduced template literals[0][1] which are delimited with backticks. These need to be escaped in a similar fashion to the delimiters for other string literals. Additionally template literals can contain special syntax for string interpolation. There is no clear way to allow safe insertion of actions within JS template literals, as handling (JS) string interpolation inside of these literals is rather complex. As such we've chosen to simply disallow template actions within these template literals. A new error code is added for this parsing failure case, errJsTmplLit, but it is unexported as it is not backwards compatible with other minor release versions to introduce an API change in a minor release. We will export this code in the next major release. The previous behavior (with the cavet that backticks are now escaped properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. This change subsumes CL471455. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. Fixes CVE-2023-24538 For #59234 Fixes #59271 [0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals [1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 Run-TryBot: Roland Shoemaker <[email protected]> Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 Auto-Submit: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
…e literals ECMAScript 6 introduced template literals[0][1] which are delimited with backticks. These need to be escaped in a similar fashion to the delimiters for other string literals. Additionally template literals can contain special syntax for string interpolation. There is no clear way to allow safe insertion of actions within JS template literals, as handling (JS) string interpolation inside of these literals is rather complex. As such we've chosen to simply disallow template actions within these template literals. A new error code is added for this parsing failure case, errJsTmplLit, but it is unexported as it is not backwards compatible with other minor release versions to introduce an API change in a minor release. We will export this code in the next major release. The previous behavior (with the cavet that backticks are now escaped properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. This change subsumes CL471455. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. Fixes CVE-2023-24538 For #59234 Fixes #59272 [0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals [1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals Change-Id: Idff74ec386e9b73d6e9a3c9f71990eabc0ce7506 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802688 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/481993 Run-TryBot: Michael Knyszek <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> TryBot-Bypass: Michael Knyszek <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
I do not think the solution merged handles the case where a template literal contains a string interpolation with another template literal, as in:
Go's simple JS state machine incorrectly thinks that "{{.V}}" appears outside of a JS template literal and escapes it as if it were the javascript context (by just adding quotes around it). As a result the output of this program is
which, if inserted as HTML in a web page, will run the alert function. #9200 has a good discussion of the complexities of this issue. |
Change https://go.dev/cl/482238 mentions this issue: |
Change https://go.dev/cl/482535 mentions this issue: |
Change https://go.dev/cl/482555 mentions this issue: |
This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. Updates #59234. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482238 Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59270. Updates #59234. For #59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59269. Updates #59234. For #59271. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482535 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
As @hundt mentioned, I don't think this should be closed, the vulnerability is still present |
@julieqiu just making sure you saw the remarks by @hundt and @karelbilek. See also: |
Thank you for letting us know. We will investigate and post updates to #9200. |
Change https://go.dev/cl/484075 mentions this issue: |
…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates golang#59153. For golang#59270. Updates golang#59234. For golang#59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates golang#59153. For golang#59270. Updates golang#59234. For golang#59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See golang/go#59234 Fixes gohugoio#11112
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See golang/go#59234 Fixes gohugoio#11112
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See golang/go#59234 Fixes gohugoio#11112
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See golang/go#59234 Fixes #11112
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/gohugoio/hugo](https://togithub.com/gohugoio/hugo) | require | minor | `v0.111.3` -> `v0.114.0` | --- ### Release Notes <details> <summary>gohugoio/hugo</summary> ### [`v0.114.0`](https://togithub.com/gohugoio/hugo/releases/tag/v0.114.0) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.113.0...v0.114.0) The main new thing in this release is that we now support both major versions of the Dart Sass Embedded protocol, which means that you now can use the regular [Dart Sass](https://togithub.com/sass/dart-sass/releases) binary. We measured the new protocol to be [faster with high concurrency](https://togithub.com/bep/godartsass/pull/17): name old time/op new time/op delta Transpiler/SCSS-10 114µs ± 0% 145µs ± 1% +26.40% (p=0.029 n=4+4) Transpiler/Start_and_Execute-10 25.6ms ± 2% 26.0ms ± 3% ~ (p=0.486 n=4+4) Transpiler/SCSS_Parallel-10 89.0µs ± 2% 44.4µs ± 3% -50.12% (p=0.029 n=4+4) name old alloc/op new alloc/op delta Transpiler/SCSS-10 1.33kB ± 1% 1.33kB ± 0% ~ (p=1.000 n=4+4) Transpiler/Start_and_Execute-10 22.4kB ± 1% 22.4kB ± 1% ~ (p=0.886 n=4+4) Transpiler/SCSS_Parallel-10 1.34kB ± 3% 1.33kB ± 1% ~ (p=1.000 n=4+4) name old allocs/op new allocs/op delta Transpiler/SCSS-10 18.0 ± 0% 18.0 ± 0% ~ (all equal) Transpiler/Start_and_Execute-10 144 ± 1% 150 ± 0% +4.16% (p=0.029 n=4+4) Transpiler/SCSS_Parallel-10 18.0 ± 0% 18.0 ± 0% ~ (all equal) We have also moved to a new log library and added some new [math functions](https://gohugo.io/functions/math/) and also revised the existing set to work better with a mix of scalars and slices. #### Notes - We have removed the flags `--log`, `--verboseLog`, added the new flag `--logLevel` and deprecated `--verbose` and `--`--debug\` See [#​11088](https://togithub.com/gohugoio/hugo/issues/11088) - This release contains a security fix in the upstream Go HTML template library disallowing JavaScript inside backticks by default. See [https://github.com/golang/go/issues/59234](https://togithub.com/golang/go/issues/59234) If you really need this and are sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` #### Bug fixes - common/loggers: Drop the bold INFO etc. prefixes [`6dfbd24`](https://togithub.com/gohugoio/hugo/commit/6dfbd247) [@​bep](https://togithub.com/bep) - all: Fix some typos [`68d9d3e`](https://togithub.com/gohugoio/hugo/commit/68d9d3eb) [@​deining](https://togithub.com/deining) - all: Fix typos in function names and comments [`9009c8c`](https://togithub.com/gohugoio/hugo/commit/9009c8cd) [@​alexandear](https://togithub.com/alexandear) - deploy: Fix deploy defaults for non-zero flag values (e.g. maxDeletes, invalidateCDN) [`12dc9a6`](https://togithub.com/gohugoio/hugo/commit/12dc9a6e) [@​bep](https://togithub.com/bep) [#​11127](https://togithub.com/gohugoio/hugo/issues/11127) - Fix upstream Go templates bug with reversed key/value assignment [`ee359df`](https://togithub.com/gohugoio/hugo/commit/ee359df1) [@​bep](https://togithub.com/bep) [#​11112](https://togithub.com/gohugoio/hugo/issues/11112) - tpl/collections: Fix append when appending a slice to a slice of slices [`d178fe9`](https://togithub.com/gohugoio/hugo/commit/d178fe94) [@​bep](https://togithub.com/bep) [#​11093](https://togithub.com/gohugoio/hugo/issues/11093) - Fix .Width and .Height for animated gifs [`21d1756`](https://togithub.com/gohugoio/hugo/commit/21d17566) [@​bep](https://togithub.com/bep) [#​11079](https://togithub.com/gohugoio/hugo/issues/11079) - Fix config merge regression with root slices (e.g. disableKinds) [`60a2cdf`](https://togithub.com/gohugoio/hugo/commit/60a2cdf7) [@​bep](https://togithub.com/bep) [#​11089](https://togithub.com/gohugoio/hugo/issues/11089) - Fix handling of aliases (e.g. hugo serve) [`0541a1b`](https://togithub.com/gohugoio/hugo/commit/0541a1b5) [@​bep](https://togithub.com/bep) [#​11090](https://togithub.com/gohugoio/hugo/issues/11090) - commands,config: Fix typo in log and error messages [`b8526f3`](https://togithub.com/gohugoio/hugo/commit/b8526f32) [@​alexandear](https://togithub.com/alexandear) - Fix indented SASS imports for Dart Sass [`c782ebd`](https://togithub.com/gohugoio/hugo/commit/c782ebd8) [@​bep](https://togithub.com/bep) [#​11074](https://togithub.com/gohugoio/hugo/issues/11074) #### Improvements - Add empty Environ when loading test config [`3ab8465`](https://togithub.com/gohugoio/hugo/commit/3ab84651) [@​bep](https://togithub.com/bep) - loggers: Avoid using Logf for the LevelLoggerToWriter [`f59c3c0`](https://togithub.com/gohugoio/hugo/commit/f59c3c02) [@​bep](https://togithub.com/bep) - tocss/dartsas: Avoid using Logf for the internal Dart Sass logging [`3ca29b1`](https://togithub.com/gohugoio/hugo/commit/3ca29b15) [@​bep](https://togithub.com/bep) - helpers: Remove superflous formatting flag in deprecation warnings [`fdb0b7f`](https://togithub.com/gohugoio/hugo/commit/fdb0b7fb) [@​bep](https://togithub.com/bep) - common/loggers: Re-add trailing newline in logger.Printf [`1b85303`](https://togithub.com/gohugoio/hugo/commit/1b85303a) [@​bep](https://togithub.com/bep) [#​11130](https://togithub.com/gohugoio/hugo/issues/11130) - Replace the old log setup, with structured logging etc. [`7c9fada`](https://togithub.com/gohugoio/hugo/commit/7c9fada7) [@​bep](https://togithub.com/bep) [#​11124](https://togithub.com/gohugoio/hugo/issues/11124) - common/collections: Always make a copy of the input slice in Append [`f73c567`](https://togithub.com/gohugoio/hugo/commit/f73c5675) [@​bep](https://togithub.com/bep) [#​10458](https://togithub.com/gohugoio/hugo/issues/10458) - Re-add site.RSSLink (and deprecate it) [`90b2674`](https://togithub.com/gohugoio/hugo/commit/90b2674d) [@​bep](https://togithub.com/bep) [#​11110](https://togithub.com/gohugoio/hugo/issues/11110) - tpl/math: Allow variadic math functions to take slice args, add math.Product, math.Sum [`2ba2271`](https://togithub.com/gohugoio/hugo/commit/2ba2271e) [@​bep](https://togithub.com/bep) [#​11030](https://togithub.com/gohugoio/hugo/issues/11030) - commands: Remove flags log, verboseLog, add flag logLevel, deprecate flags verbose and debug [`ef147f4`](https://togithub.com/gohugoio/hugo/commit/ef147f4e) [@​bep](https://togithub.com/bep) [#​9648](https://togithub.com/gohugoio/hugo/issues/9648) [#​11071](https://togithub.com/gohugoio/hugo/issues/11071) - cache: Set default cache path based on $USER [`258884f`](https://togithub.com/gohugoio/hugo/commit/258884f4) [@​Sircular](https://togithub.com/Sircular) [#​7391](https://togithub.com/gohugoio/hugo/issues/7391) - resources: Remove failing and superflous test assertion [`69f0e88`](https://togithub.com/gohugoio/hugo/commit/69f0e88a) [@​bep](https://togithub.com/bep) - helpers: Avoid url.Parse in RelURL and AbsURL if we can [`ed7e250`](https://togithub.com/gohugoio/hugo/commit/ed7e2500) [@​bep](https://togithub.com/bep) - Adjust benchmarks [`6a09e7f`](https://togithub.com/gohugoio/hugo/commit/6a09e7f2) [@​bep](https://togithub.com/bep) - Adjust benchmark [`29e5cbb`](https://togithub.com/gohugoio/hugo/commit/29e5cbb6) [@​bep](https://togithub.com/bep) - Add BenchmarkAbsURL [`ded6866`](https://togithub.com/gohugoio/hugo/commit/ded68660) [@​bep](https://togithub.com/bep) - helpers: Improve schema detection when creating relative URLs [`e1d4302`](https://togithub.com/gohugoio/hugo/commit/e1d43021) [@​jmooring](https://togithub.com/jmooring) [#​11080](https://togithub.com/gohugoio/hugo/issues/11080) - helpers: Add a basic benchmark for RelURL [`5db215d`](https://togithub.com/gohugoio/hugo/commit/5db215d4) [@​bep](https://togithub.com/bep) - config: Remove unexpected \_merge keys introduced in author and social maps [`b7dc93c`](https://togithub.com/gohugoio/hugo/commit/b7dc93ca) [@​bep](https://togithub.com/bep) [#​11083](https://togithub.com/gohugoio/hugo/issues/11083) - Upgrade to v2 of the Dart Sass Embedded Protocol [`f210188`](https://togithub.com/gohugoio/hugo/commit/f210188d) [@​bep](https://togithub.com/bep) [#​11059](https://togithub.com/gohugoio/hugo/issues/11059) #### Dependency Updates - Revert "build(deps): bump gocloud.dev from 0.24.0 to 0.29.0" [`59300fa`](https://togithub.com/gohugoio/hugo/commit/59300faa) [@​bep](https://togithub.com/bep) - Revert "deps: Update github.com/tdewolff/minify/v2 v2.12.5 => v2.12.6" [`49dd53a`](https://togithub.com/gohugoio/hugo/commit/49dd53a4) [@​bep](https://togithub.com/bep) [#​11132](https://togithub.com/gohugoio/hugo/issues/11132) - build(deps): bump github.com/evanw/esbuild from 0.18.3 to 0.18.4 [`8a04d47`](https://togithub.com/gohugoio/hugo/commit/8a04d47a) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/evanw/esbuild from 0.18.2 to 0.18.3 [`aaf2e96`](https://togithub.com/gohugoio/hugo/commit/aaf2e969) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 [`0f989d5`](https://togithub.com/gohugoio/hugo/commit/0f989d5e) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump google.golang.org/api from 0.123.0 to 0.127.0 [`732dcb8`](https://togithub.com/gohugoio/hugo/commit/732dcb84) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/tools from 0.9.1 to 0.9.3 [`944859f`](https://togithub.com/gohugoio/hugo/commit/944859f1) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/kyokomi/emoji/v2 from 2.2.11 to 2.2.12 [`bb9377b`](https://togithub.com/gohugoio/hugo/commit/bb9377b5) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/getkin/kin-openapi from 0.117.0 to 0.118.0 [`e88f1b8`](https://togithub.com/gohugoio/hugo/commit/e88f1b80) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/net from 0.10.0 to 0.11.0 [`516f0cb`](https://togithub.com/gohugoio/hugo/commit/516f0cb6) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump gocloud.dev from 0.24.0 to 0.29.0 [`7bed16c`](https://togithub.com/gohugoio/hugo/commit/7bed16c3) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/image from 0.7.0 to 0.8.0 [`e08cfc8`](https://togithub.com/gohugoio/hugo/commit/e08cfc8c) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 [`4895195`](https://togithub.com/gohugoio/hugo/commit/48951956) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.6 to 2.0.8 [`91c0b0f`](https://togithub.com/gohugoio/hugo/commit/91c0b0f7) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/evanw/esbuild from 0.17.19 to 0.18.2 [`baef235`](https://togithub.com/gohugoio/hugo/commit/baef235d) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump go.uber.org/atomic from 1.10.0 to 1.11.0 [`254c2b3`](https://togithub.com/gohugoio/hugo/commit/254c2b32) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/hairyhenderson/go-codeowners [`84f71ba`](https://togithub.com/gohugoio/hugo/commit/84f71ba8) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/frankban/quicktest from 1.14.4 to 1.14.5 [`82adc97`](https://togithub.com/gohugoio/hugo/commit/82adc972) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/mattn/go-isatty from 0.0.17 to 0.0.19 [`60533fd`](https://togithub.com/gohugoio/hugo/commit/60533fdc) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.5 [`261143b`](https://togithub.com/gohugoio/hugo/commit/261143bb) [@​dependabot](https://togithub.com/dependabot)\[bot] #### Documentation - docs: Regen docshelper [`9f98b3e`](https://togithub.com/gohugoio/hugo/commit/9f98b3e7) [@​bep](https://togithub.com/bep) - docs: Regen CLI docs [`7241b5f`](https://togithub.com/gohugoio/hugo/commit/7241b5fd) [@​bep](https://togithub.com/bep) #### Build Setup - Revert "snap: Transition base snap from core20 to core22 ([#​11101](https://togithub.com/gohugoio/hugo/issues/11101))" ([#​11125](https://togithub.com/gohugoio/hugo/issues/11125)) [`0e79446`](https://togithub.com/gohugoio/hugo/commit/0e794465) [@​jmooring](https://togithub.com/jmooring) [#​11116](https://togithub.com/gohugoio/hugo/issues/11116) - snap: Transition base snap from core20 to core22 ([#​11101](https://togithub.com/gohugoio/hugo/issues/11101)) [`35e9b3e`](https://togithub.com/gohugoio/hugo/commit/35e9b3ed) [@​jmooring](https://togithub.com/jmooring) ### [`v0.113.0`](https://togithub.com/gohugoio/hugo/releases/tag/v0.113.0) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.7...v0.113.0) This release adds TLS/HTTPS support to `hugo server` (see [`cf38c73`](https://togithub.com/gohugoio/hugo/commit/cf38c73f) and [#​11064](https://togithub.com/gohugoio/hugo/issues/11064) for details) entirely backed by [mkcert](https://togithub.com/FiloSottile/mkcert). We still default to `http` which is recommended and good enough for 99% of the Hugo use, but there are [some situations](https://web.dev/when-to-use-local-https/) where you really need it. We have added a new sub command and some new flags to `hugo server` to enable this: ### Installs a local CA in the system root store. You only need to do this once. hugo server trust ### Generates locally-trusted certificates (if not already created) and starts the server with TLS/HTTPS enabled. hugo server --tlsAuto Note that we just delegate to [mkcert](https://togithub.com/FiloSottile/mkcert) using its default settings, so all of their documentation is relevant. Also note that this is currently only supported for Linux, MacOS and Windows. And if you install on Linux using Snap, you will currently get an access denied error when running `hugo server trust`. A workaround for that, or if you need to use some of mkcert's advanced options, is to use mkcert directly to install the local CA: go install filippo.io/mkcert@latest mkcert -install You can then start the server with `hugo server --tlsAuto`. If you have obtained the TLS certificate and key file by other means, you can use the `--tlsCertFile` and `--tlsKeyFile` flags. When `--tlsAuto` or `--tlsCertFile` and `--tlsKeyFile` is set and no `--baseURL` is provided as a flag, the server is started with TLS and `https` as the protocol. ### [`v0.112.7`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.7) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.6...v0.112.7) #### What's Changed - Fix menuItem.URL when pageRef is not set [`5e5ce00`](https://togithub.com/gohugoio/hugo/commit/5e5ce00d) [@​bep](https://togithub.com/bep) [#​11062](https://togithub.com/gohugoio/hugo/issues/11062) - Don't inject livereload script on hugo -w [`a191b38`](https://togithub.com/gohugoio/hugo/commit/a191b38a) [@​bep](https://togithub.com/bep) [#​11061](https://togithub.com/gohugoio/hugo/issues/11061) - markup: Fix typo in function and struct names [`382c726`](https://togithub.com/gohugoio/hugo/commit/382c726e) [@​alexandear](https://togithub.com/alexandear) - all: Replace deprecated ioutil with io and os [`4c46f94`](https://togithub.com/gohugoio/hugo/commit/4c46f940) [@​alexandear](https://togithub.com/alexandear) ### [`v0.112.6`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.6) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.5...v0.112.6) - github: Fix Windows build [`06faee5`](https://togithub.com/gohugoio/hugo/commit/06faee5b) [@​bep](https://togithub.com/bep) [#​11052](https://togithub.com/gohugoio/hugo/issues/11052) - Fix potential deadlock in ByParam [`3258569`](https://togithub.com/gohugoio/hugo/commit/32585696) [@​bep](https://togithub.com/bep) [#​11039](https://togithub.com/gohugoio/hugo/issues/11039) - commands: Add --lang to hugo config [`0ef2952`](https://togithub.com/gohugoio/hugo/commit/0ef29528) [@​bep](https://togithub.com/bep) [#​11057](https://togithub.com/gohugoio/hugo/issues/11057) - Make sure any default mounts show up in "hugo config" [`e3ae8f0`](https://togithub.com/gohugoio/hugo/commit/e3ae8f02) [@​bep](https://togithub.com/bep) [#​11040](https://togithub.com/gohugoio/hugo/issues/11040) - tpl/tplimpl: Use .Language.LanguageCode in built-in templates [`ff77a92`](https://togithub.com/gohugoio/hugo/commit/ff77a927) [@​jmooring](https://togithub.com/jmooring) - Fail on invalid defaultContentLanguage [`9cdca1f`](https://togithub.com/gohugoio/hugo/commit/9cdca1f9) [@​bep](https://togithub.com/bep) [#​11044](https://togithub.com/gohugoio/hugo/issues/11044) - Avoid panic in invalid language config [`6462eec`](https://togithub.com/gohugoio/hugo/commit/6462eecf) [@​bep](https://togithub.com/bep) [#​11046](https://togithub.com/gohugoio/hugo/issues/11046) - Don't panic on empty yaml config params [`a7d6b14`](https://togithub.com/gohugoio/hugo/commit/a7d6b141) [@​bep](https://togithub.com/bep) [#​11047](https://togithub.com/gohugoio/hugo/issues/11047) - Prevent double escaping of image alt-text in Goldmar typographer [`3f497d4`](https://togithub.com/gohugoio/hugo/commit/3f497d49) [@​bep](https://togithub.com/bep) [#​11045](https://togithub.com/gohugoio/hugo/issues/11045) - deps: Update github.com/tdewolff/minify/v2 v2.12.5 => v2.12.6 [`409c6c3`](https://togithub.com/gohugoio/hugo/commit/409c6c3f) [@​jmooring](https://togithub.com/jmooring) ### [`v0.112.5`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.5) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.4...v0.112.5) #### What's Changed - Fix it so languageCode on top level config still works [`e3dfc76`](https://togithub.com/gohugoio/hugo/commit/e3dfc76f) [@​bep](https://togithub.com/bep) [#​11037](https://togithub.com/gohugoio/hugo/issues/11037) ### [`v0.112.4`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.4) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.3...v0.112.4) - Fix Processed images count regression for multiple languages [`fd09933`](https://togithub.com/gohugoio/hugo/commit/fd099331) [@​bep](https://togithub.com/bep) [#​11002](https://togithub.com/gohugoio/hugo/issues/11002) - Fix --renderStaticToDisk regression [`8f293a1`](https://togithub.com/gohugoio/hugo/commit/8f293a18) [@​bep](https://togithub.com/bep) [#​11026](https://togithub.com/gohugoio/hugo/issues/11026) - commands: Add the common build flags to the config commands [`51d0a0a`](https://togithub.com/gohugoio/hugo/commit/51d0a0ab) [@​bep](https://togithub.com/bep) [#​11018](https://togithub.com/gohugoio/hugo/issues/11018) - commands: Reinstate some of the removed build flags (e.g. --theme) to new and mod [`43f1282`](https://togithub.com/gohugoio/hugo/commit/43f1282e) [@​bep](https://togithub.com/bep) [#​11018](https://togithub.com/gohugoio/hugo/issues/11018) - Don't create the public folder unless needed [`e96cdfe`](https://togithub.com/gohugoio/hugo/commit/e96cdfe9) [@​bep](https://togithub.com/bep) [#​11031](https://togithub.com/gohugoio/hugo/issues/11031) - commands: Fail the build when no config file or config dir [`273d9f6`](https://togithub.com/gohugoio/hugo/commit/273d9f69) [@​bep](https://togithub.com/bep) [#​11019](https://togithub.com/gohugoio/hugo/issues/11019) - langs: Remove the Language.Params deprecation message for now [`a6257d8`](https://togithub.com/gohugoio/hugo/commit/a6257d8a) [@​bep](https://togithub.com/bep) [#​11025](https://togithub.com/gohugoio/hugo/issues/11025) - Add language.LanguageCode [`6c2db0d`](https://togithub.com/gohugoio/hugo/commit/6c2db0df) [@​bep](https://togithub.com/bep) [#​11027](https://togithub.com/gohugoio/hugo/issues/11027) - commands: Re-introduce the -f shorthand for hugo new site [`901cd97`](https://togithub.com/gohugoio/hugo/commit/901cd970) [@​bep](https://togithub.com/bep) [#​11015](https://togithub.com/gohugoio/hugo/issues/11015) - commands: Move the --format flag to only the commands that support it [`f86b5f7`](https://togithub.com/gohugoio/hugo/commit/f86b5f70) [@​bep](https://togithub.com/bep) [#​11022](https://togithub.com/gohugoio/hugo/issues/11022) #### Documentation - docs: Regenerate CLI docs [`20ea2e0`](https://togithub.com/gohugoio/hugo/commit/20ea2e0c) [@​bep](https://togithub.com/bep) - docs: Regen CLI docs [`ffdbce5`](https://togithub.com/gohugoio/hugo/commit/ffdbce57) [@​bep](https://togithub.com/bep) ### [`v0.112.3`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.3) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.2...v0.112.3) #### What's Changed - Fix regression when loading config -e is empty or HUGO_ENV or HUGO_ENVIRONMENT is set [`231374a`](https://togithub.com/gohugoio/hugo/commit/231374a1) [@​bep](https://togithub.com/bep) [#​11013](https://togithub.com/gohugoio/hugo/issues/11013) ### [`v0.112.2`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.2) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.1...v0.112.2) #### What's Changed - minifiers: Make sure JS.Version always has a value [`dd67922`](https://togithub.com/gohugoio/hugo/commit/dd679220) [@​bep](https://togithub.com/bep) [#​11012](https://togithub.com/gohugoio/hugo/issues/11012) - Fix regression with site.IsServer when not running a server [`9a235d0`](https://togithub.com/gohugoio/hugo/commit/9a235d0a) [@​bep](https://togithub.com/bep) [#​11006](https://togithub.com/gohugoio/hugo/issues/11006) ### [`v0.112.1`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.1) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.112.0...v0.112.1) #### What's Changed - Fix regression when config for OutputFormat.BaseName is an empty string [`ed906a8`](https://togithub.com/gohugoio/hugo/commit/ed906a86) [@​bep](https://togithub.com/bep) [#​11000](https://togithub.com/gohugoio/hugo/issues/11000) Also see the main release: https://github.com/gohugoio/hugo/releases/tag/v0.112.0 ### [`v0.112.0`](https://togithub.com/gohugoio/hugo/releases/tag/v0.112.0) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.111.3...v0.112.0) > **Note:** There's a patch release out already, see https://github.com/gohugoio/hugo/releases/tag/v0.112.1 Proper **TailwindCSS v3.x support**, much improved **language config merge**, consolidation of all Hugo config (check out `hugo config`), rewritten `commands` package (CLI) using [SimpleCobra](https://togithub.com/bep/simplecobra), Goldmark's typographer extension (quotation marks per language), and more. #### Headlines ##### TailwindCSS v3.x Support, new cache buster configuration > See https://github.com/bep/hugo-starter-tailwind-basic for a running example. TailwindCSS 3 has been out for a while now, and unfortunately their new build strategy didn't work very well with Hugo. But this release adds a new `build.cachebusters` config option for the resource cache that allows more fine grained control over when to trigger a new Tailwind build. This is a generally useful feature, so if you're having issues not seeing your resource changes (e.g. change to a JS file) on change, you could try to tweak the defaults. A tip is to run the server with `hugo server --debug` and watch out for log messages prefixed with `cachebuster:` on file changes. There are several possible setups here, but one that we have tested and that works well is outlined in the config below. The basic concept is to add `hugo_stats.json` to the server watcher list in Hugo and trigger a new TailwindCSS build only whenever either this file or the main CSS file changes. ```toml [module] [[module.mounts]] source = "assets" target = "assets" [[module.mounts]] source = "hugo_stats.json" target = "assets/watching/hugo_stats.json" [build] writeStats = true [[build.cachebusters]] source = "assets/watching/hugo_stats\\.json" target = "styles\\.css" [[build.cachebusters]] source = "(postcss|tailwind)\\.config\\.js" target = "css" [[build.cachebusters]] source = "assets/.*\\.(js|ts|jsx|tsx)" target = "js" [[build.cachebusters]] source = "assets/.*\\.(.*)$" target = "$1" ``` And then in `tailwind.config.js`: ```js module.exports = { content: ['./hugo_stats.json'], }; ``` ##### Reconsolidated all configuration handling For this release we have collected all configuration into one big Go struct and rewritten the command line API using [SimpleCobra](https://togithub.com/bep/simplecobra). All of this makes the source code easier to maintain and understand, but the original motivation for this was to get a complete and autogenerated API reference for Hugo (we're working on getting that done), but this also have some less technical upsides: ##### 'hugo config' is now complete What you get when running `hugo config` is a complete TOML representation (add `--format json` or `--format yaml` for alternative formats) of *the effective* configuration. As this will include default values and configuration merged in from themes, we don't recommend to copy and paste this into `hugo.toml`, as that would make your configuration very verbose. ##### Improved language config handling See issue [#​10620](https://togithub.com/gohugoio/hugo/issues/10620) for some details, but in general, the merge behaviour of sections from `languages` is much improved. In the example below for language `en` you will now get: ```json "comments": { "color": "blue", "title": "English Comments Title", } ``` In earlier versions of Hugo you would get: ```json "comments": { "title": "English Comments Title", } ``` ```toml title = "Base Title" staticDir = "mystatic" [params] [params.comments] color = "blue" title = "Default Comments Title" [languages] [languages.en] title = "English Title" [languages.en.params.comments] title = "English Comments Title" ``` Note that values in a given language will always have precedence over same keys in root (the section inside the language is the receiving side of any merge operation), so, if you want the old (and buggy) behaviour, you can add a merge strategy to one of the `params` sections, e.g: ```toml [languages.en.params.comments] _merge = "none" title = "English Comments Title" ``` You can now also configure just about *everything* per language. One useful example would be the Goldmark `typographer` extension: ```toml [languages.de] languageCode = 'de-DE' languageName = 'Deutsch' weight = 2 [languages.de.markup.goldmark.extensions.typographer] leftDoubleQuote = '«' # default “ rightDoubleQuote = '»' # default ” ``` ##### More info in verbose build output If you build flag with the `-v`, you will now get timing info for the core building steps in Hugo: INFO 2023/05/16 09:53:55 process in 17 ms INFO 2023/05/16 09:53:55 assemble in 345 ms INFO 2023/05/16 09:53:55 render in 341 ms INFO 2023/05/16 09:53:55 postProcess in 0 ms #### Notes - openapi2: .ExtensionProps is now .Extensions and just a map. - We have deprecated `site.Language.Params` and configuration of custom params outside of the language `[params]`, see https://gohugo.io/content-management/multilingual/#changes-in-hugo-01120 for more information. #### Bug fixes - Fix "unknown command" message when no suggestion [`288be19`](https://togithub.com/gohugoio/hugo/commit/288be197) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - commands: Fix build logic when listing expired/future draft content [`e6dc805`](https://togithub.com/gohugoio/hugo/commit/e6dc8053) [@​bep](https://togithub.com/bep) [#​10972](https://togithub.com/gohugoio/hugo/issues/10972) - commands: Fix data race [`0a51dfa`](https://togithub.com/gohugoio/hugo/commit/0a51dfac) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - tpl/urls: Fix build broken by a merge [`e4e0313`](https://togithub.com/gohugoio/hugo/commit/e4e0313c) [@​bep](https://togithub.com/bep) - Fix warn message about custom params on the language top level [`ad4bc96`](https://togithub.com/gohugoio/hugo/commit/ad4bc969) [@​deining](https://togithub.com/deining) - Fix some spelling mistakes [`4003c79`](https://togithub.com/gohugoio/hugo/commit/4003c790) [@​cuishuang](https://togithub.com/cuishuang) - all: Fix comments for exported functions and packages [`610ceda`](https://togithub.com/gohugoio/hugo/commit/610cedaa) [@​alexandear](https://togithub.com/alexandear) - modules: Fix format flag in error [`95818e2`](https://togithub.com/gohugoio/hugo/commit/95818e27) [@​alexandear](https://togithub.com/alexandear) - Fix some recently introduced error handling issues [`834b3d7`](https://togithub.com/gohugoio/hugo/commit/834b3d7e) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - Re-add site.LanguagePrefix [`86b2a27`](https://togithub.com/gohugoio/hugo/commit/86b2a274) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - Deprecate site.Language.Params and some other fixes [`5d85716`](https://togithub.com/gohugoio/hugo/commit/5d857165) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - readme: Fix build command [`d01731d`](https://togithub.com/gohugoio/hugo/commit/d01731d5) [@​kirisakow](https://togithub.com/kirisakow) - resources: Fix typos in error message and variables [`891b291`](https://togithub.com/gohugoio/hugo/commit/891b2918) [@​alexandear](https://togithub.com/alexandear) - commands: Fix data race in test [`0fbab7c`](https://togithub.com/gohugoio/hugo/commit/0fbab7cb) [@​bep](https://togithub.com/bep) #### Improvements - circleci: Add github.com to known hosts [`70b2aaf`](https://togithub.com/gohugoio/hugo/commit/70b2aaf8) [@​bep](https://togithub.com/bep) - Add --format to hugo config [`85b13c1`](https://togithub.com/gohugoio/hugo/commit/85b13c10) [@​bep](https://togithub.com/bep) - postcss: Improve validation of option 'config' [`9a0370e`](https://togithub.com/gohugoio/hugo/commit/9a0370e8) [@​deining](https://togithub.com/deining) - Avoid writing to hugo_stats.json when there are no changes [`4cac5f5`](https://togithub.com/gohugoio/hugo/commit/4cac5f5e) [@​bep](https://togithub.com/bep) [#​10985](https://togithub.com/gohugoio/hugo/issues/10985) - Add cache busting config to support Tailwind 3 [`2c3d4df`](https://togithub.com/gohugoio/hugo/commit/2c3d4dfb) [@​bep](https://togithub.com/bep) [#​10974](https://togithub.com/gohugoio/hugo/issues/10974) - commands: Make all list commands list what 'all' did before [`6ca8a40`](https://togithub.com/gohugoio/hugo/commit/6ca8a40f) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - tpl/tplimpl: Add img loading attribute to figure shortcode ([#​10927](https://togithub.com/gohugoio/hugo/issues/10927)) [`2db7ec6`](https://togithub.com/gohugoio/hugo/commit/2db7ec62) [@​InLaw](https://togithub.com/InLaw) - Allow whitelisting mediaTypes used in resources.GetRemote [`2637b4e`](https://togithub.com/gohugoio/hugo/commit/2637b4ef) [@​bep](https://togithub.com/bep) [#​10286](https://togithub.com/gohugoio/hugo/issues/10286) - Add hugo.WorkingDir [`7c7baa6`](https://togithub.com/gohugoio/hugo/commit/7c7baa61) [@​bep](https://togithub.com/bep) [#​10969](https://togithub.com/gohugoio/hugo/issues/10969) - Make language merging of markup etc. config without values in the root [`4f085e8`](https://togithub.com/gohugoio/hugo/commit/4f085e80) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - tpl/urls: Return empty string when JoinPath has zero args [`150d190`](https://togithub.com/gohugoio/hugo/commit/150d190f) [@​jmooring](https://togithub.com/jmooring) - Re-add --printUnusedTemplates and --printPathWarnings [`d6197a4`](https://togithub.com/gohugoio/hugo/commit/d6197a41) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - tpl/urls: Add JoinPath template function [`5b3e165`](https://togithub.com/gohugoio/hugo/commit/5b3e165b) [@​jmooring](https://togithub.com/jmooring) [#​9694](https://togithub.com/gohugoio/hugo/issues/9694) - Allow legacy taxonomyTerm in disableKinds [`03cb38e`](https://togithub.com/gohugoio/hugo/commit/03cb38e6) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - Make GOMAXPROCS to be CPU limit aware [`008170c`](https://togithub.com/gohugoio/hugo/commit/008170c8) [@​BenTheElder](https://togithub.com/BenTheElder) [#​10950](https://togithub.com/gohugoio/hugo/issues/10950) - Allow empty params.mainSections [`7c647bc`](https://togithub.com/gohugoio/hugo/commit/7c647bca) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - commands: Load config before creating the filesystem [`3f00f47`](https://togithub.com/gohugoio/hugo/commit/3f00f475) [@​bep](https://togithub.com/bep) - github: Trim the test flow a little [`35955f5`](https://togithub.com/gohugoio/hugo/commit/35955f50) [@​bep](https://togithub.com/bep) - commands: Improve the common build flag handling [`8a69ccb`](https://togithub.com/gohugoio/hugo/commit/8a69ccbb) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - Support, but warn, about top level language custom params [`7ce033a`](https://togithub.com/gohugoio/hugo/commit/7ce033a8) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - Handle transient errors in config loading etc. [`0554213`](https://togithub.com/gohugoio/hugo/commit/05542130) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - Re-establish all the server flags [`5251f01`](https://togithub.com/gohugoio/hugo/commit/5251f015) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - Revert "Make GOMAXPROCS CPU limit aware" [`0106cf1`](https://togithub.com/gohugoio/hugo/commit/0106cf1a) [@​bep](https://togithub.com/bep) - Make GOMAXPROCS CPU limit aware [`59050f9`](https://togithub.com/gohugoio/hugo/commit/59050f97) [@​BenTheElder](https://togithub.com/BenTheElder) [#​10950](https://togithub.com/gohugoio/hugo/issues/10950) - Add Sections to Site interface [`faa6998`](https://togithub.com/gohugoio/hugo/commit/faa6998f) [@​bep](https://togithub.com/bep) [#​10947](https://togithub.com/gohugoio/hugo/issues/10947) - helpers: simplify path tests with T.TempDir [`3d90871`](https://togithub.com/gohugoio/hugo/commit/3d90871e) [@​alexandear](https://togithub.com/alexandear) - tpl: Add math.Abs [`bda082c`](https://togithub.com/gohugoio/hugo/commit/bda082c9) [@​alexandear](https://togithub.com/alexandear) [#​10941](https://togithub.com/gohugoio/hugo/issues/10941) - Create a struct with all of Hugo's config options [`241b21b`](https://togithub.com/gohugoio/hugo/commit/241b21b0) [@​bep](https://togithub.com/bep) [#​10896](https://togithub.com/gohugoio/hugo/issues/10896) [#​10620](https://togithub.com/gohugoio/hugo/issues/10620) - Improve date parsing performance for the common case [`6aededf`](https://togithub.com/gohugoio/hugo/commit/6aededf6) [@​bep](https://togithub.com/bep) [#​10942](https://togithub.com/gohugoio/hugo/issues/10942) - Add a counter helper [`0988b76`](https://togithub.com/gohugoio/hugo/commit/0988b76a) [@​bep](https://togithub.com/bep) - Expand the baseline benchmark a little [`e0e19a9`](https://togithub.com/gohugoio/hugo/commit/e0e19a93) [@​bep](https://togithub.com/bep) - Revert "Update syntax-highlighting.md ([#​10929](https://togithub.com/gohugoio/hugo/issues/10929))" ([#​10930](https://togithub.com/gohugoio/hugo/issues/10930)) [`bcd7ac7`](https://togithub.com/gohugoio/hugo/commit/bcd7ac77) [@​jmooring](https://togithub.com/jmooring) - Update syntax-highlighting.md ([#​10929](https://togithub.com/gohugoio/hugo/issues/10929)) [`a4fb8dc`](https://togithub.com/gohugoio/hugo/commit/a4fb8dc6) [@​kirillbobyrev](https://togithub.com/kirillbobyrev) - tpl/strings: Clarify findRESubmatch description [`5c7b79c`](https://togithub.com/gohugoio/hugo/commit/5c7b79cf) [@​jmooring](https://togithub.com/jmooring) - langs/i18n: Fallback to defaultContentLanguage instead of English [`0cb6ca5`](https://togithub.com/gohugoio/hugo/commit/0cb6ca59) [@​jmooring](https://togithub.com/jmooring) [#​9216](https://togithub.com/gohugoio/hugo/issues/9216) - tpl/debug: Add VisualizeSpaces [`f106251`](https://togithub.com/gohugoio/hugo/commit/f1062519) [@​bep](https://togithub.com/bep) - Prevent the global error collector to panic when sending on closed channel [`9906c1a`](https://togithub.com/gohugoio/hugo/commit/9906c1ae) [@​bep](https://togithub.com/bep) - markup/goldmark: Add config options for the typographer extension [`5596dc2`](https://togithub.com/gohugoio/hugo/commit/5596dc24) [@​bep](https://togithub.com/bep) [#​9772](https://togithub.com/gohugoio/hugo/issues/9772) - Add test for ToC vs include [`5748133`](https://togithub.com/gohugoio/hugo/commit/5748133d) [@​bep](https://togithub.com/bep) [#​10866](https://togithub.com/gohugoio/hugo/issues/10866) - resources.functions: improve validation [`05c095a`](https://togithub.com/gohugoio/hugo/commit/05c095a0) [@​deining](https://togithub.com/deining) - markup/goldmark: Fail on invalid Markdown attributes [`b0b1b76`](https://togithub.com/gohugoio/hugo/commit/b0b1b76d) [@​bep](https://togithub.com/bep) - tpl/math: Return error if less than 2 input numbers [`f5eddf8`](https://togithub.com/gohugoio/hugo/commit/f5eddf89) [@​septs](https://togithub.com/septs) [#​10827](https://togithub.com/gohugoio/hugo/issues/10827) #### Dependency Updates - Revert "build(deps): bump gocloud.dev from 0.24.0 to 0.29.0" [`f014921`](https://togithub.com/gohugoio/hugo/commit/f0149211) [@​bep](https://togithub.com/bep) [#​10993](https://togithub.com/gohugoio/hugo/issues/10993) - build(deps): bump github.com/tdewolff/parse/v2 from 2.6.5 to 2.6.6 [`1292d5a`](https://togithub.com/gohugoio/hugo/commit/1292d5a2) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump gocloud.dev from 0.24.0 to 0.29.0 [`baa5569`](https://togithub.com/gohugoio/hugo/commit/baa55690) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/gobuffalo/flect from 0.3.0 to 1.0.2 [`a5413c1`](https://togithub.com/gohugoio/hugo/commit/a5413c1f) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/image from 0.5.0 to 0.7.0 [`9cea58a`](https://togithub.com/gohugoio/hugo/commit/9cea58a8) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/tdewolff/minify/v2 from 2.12.4 to 2.12.5 [`1a5dce4`](https://togithub.com/gohugoio/hugo/commit/1a5dce4c) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 [`065ae00`](https://togithub.com/gohugoio/hugo/commit/065ae003) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump google.golang.org/api from 0.76.0 to 0.123.0 [`1a7d57c`](https://togithub.com/gohugoio/hugo/commit/1a7d57c0) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump golang.org/x/tools from 0.4.0 to 0.9.1 [`bba54e6`](https://togithub.com/gohugoio/hugo/commit/bba54e69) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/cli/safeexec from 1.0.0 to 1.0.1 [`7370543`](https://togithub.com/gohugoio/hugo/commit/73705431) [@​dependabot](https://togithub.com/dependabot)\[bot] - build(deps): bump github.com/getkin/kin-openapi from 0.110.0 to 0.117.0 [`f6269ee`](https://togithub.com/gohugoio/hugo/commit/f6269ee9) [@​dependabot](https://togithub.com/dependabot)\[bot] - deps: Update github.com/evanw/esbuild v0.17.0 => v0.17.19 [`715d484`](https://togithub.com/gohugoio/hugo/commit/715d4840) [@​bep](https://togithub.com/bep) - deps: Update github.com/alecthomas/chroma/v2 v2.7.0 [`c371171`](https://togithub.com/gohugoio/hugo/commit/c371171a) [@​bep](https://togithub.com/bep) - deps: Update github.com/bep/golibsass v1.1.0 => v1.1.1 [`24e7d0c`](https://togithub.com/gohugoio/hugo/commit/24e7d0c1) [@​bep](https://togithub.com/bep) [#​10629](https://togithub.com/gohugoio/hugo/issues/10629) [#​10491](https://togithub.com/gohugoio/hugo/issues/10491) #### Documentation - docs: Regen docshelper [`b6e6438`](https://togithub.com/gohugoio/hugo/commit/b6e6438f) [@​bep](https://togithub.com/bep) - commands: Add missing gen docshelper command [`943ff7f`](https://togithub.com/gohugoio/hugo/commit/943ff7f7) [@​bep](https://togithub.com/bep) [#​10953](https://togithub.com/gohugoio/hugo/issues/10953) - docs: Regen CLI docs [`10d0fcc`](https://togithub.com/gohugoio/hugo/commit/10d0fcc0) [@​bep](https://togithub.com/bep) - tpl/lang: document delimiter option for FormatNumberCustom [`1155bbc`](https://togithub.com/gohugoio/hugo/commit/1155bbca) [@​jmooring](https://togithub.com/jmooring) - Update README.md [`4f341fa`](https://togithub.com/gohugoio/hugo/commit/4f341fa1) [@​bep](https://togithub.com/bep) - Update README.md [`46a3cf6`](https://togithub.com/gohugoio/hugo/commit/46a3cf61) [@​bep](https://togithub.com/bep) - Update README.md [`f1e8f01`](https://togithub.com/gohugoio/hugo/commit/f1e8f010) [@​bep](https://togithub.com/bep) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/peaceiris/hugo-theme-iris). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS45OC40IiwidXBkYXRlZEluVmVyIjoiMzUuMTMxLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template.
As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided
to simply disallow Go template actions from being used inside of them (e.g. "var a =
{{.}}
"), sincethere is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.
Template.Parse will now return an Error when it encounters templates like this, with a currently unexported
ErrorCode with a value of 12. This ErrorCode will be exported in the next major release.
Users who rely on this behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the
caveat that backticks will now be escaped. This should be used with caution.
Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue.
This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: