diff --git a/hugolib/content_render_hooks_test.go b/hugolib/content_render_hooks_test.go index edfeaa82a81..7acd8849a3d 100644 --- a/hugolib/content_render_hooks_test.go +++ b/hugolib/content_render_hooks_test.go @@ -497,3 +497,55 @@ disableKinds = ["page", "section", "taxonomy", "term"] b.BuildE(BuildCfg{}) b.Assert(int(logger.LogCounters().WarnCounter.Count()), qt.Equals, 0) } + +func TestAttributeExclusion(t *testing.T) { + b := newTestSitesBuilder(t) + + b.WithConfigFile("toml", ` + [markup.goldmark.renderer] + unsafe = false + + [markup.goldmark.parser.attribute] + block = true + title = true + `) + + b.WithTemplates("_default/single.html", "{{ .Content }}") + + b.WithContent("p1.md", `--- +title: "p1" +--- +## Heading {class="a" onclick="alert('heading')" linenos="inline"} + +> Blockquote +{class="b" ondblclick="alert('blockquote')" LINENOS="inline"} + +~~~bash {id="c" onmouseover="alert('code fence')" linenos=true linenostart=2 hl_lines=[3] hl_style=dracula} +javascript +security +issue +~~~ +`, + ) + + b.Build(BuildCfg{}) + + b.AssertFileContent("public/p1/index.html", ` +

Heading

+

Blockquote

+
+
+ +
+
2
+3
+4
+
 +
javascript
+security
+issue
+
+
+
+`) +} diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go index 9e9ca197678..e6d959abfe7 100644 --- a/markup/goldmark/render_hooks.go +++ b/markup/goldmark/render_hooks.go @@ -161,7 +161,8 @@ func renderAttributes(w util.BufWriter, skipClass bool, attributes ...ast.Attrib continue } - if attributeExcludes[string(attr.Name)] { + a := strings.ToLower(string(attr.Name)) + if attributeExcludes[a] || strings.HasPrefix(a, "on") { continue }