Not to worry. I’m replying to Jmooring (Developer) about the matter.
Basically, we both use the same hugo version, same test codes, and same server commands but producing different output. Will have to wait for them to give green light to create GitHub ticket for investigating the matter.
For now, you can use the --minify or htmlUnescape workaround.
Just curious, this <script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK+IxCVbWnStuegYrZX3SKnBPA="></script>, when used on Chrome, will it fail to operate?
git clone --single-branch -b hugo-forum-topic-45374 https://github.com/jmooring/hugo-testing hugo-forum-topic-45374
cd hugo-forum-topic-45374
hugo server
The plus sign is encoded by Go’s html/template package. There’s a related issue that’s been open for a few years, but there’s not a strong case to change anything.
Next, view the HTML as interpreted by your browser (dev tools)
I see. In that case, Hugo’s generated SRI is not a problem at all. In fact, this thread is not a problem at all. For web safety, HTML data-related codes are always encoded in escaped characters for safety purposes (reason already presented above).
Any HTML related software (e.g. Chrome, Firefox) must be able to unconditionally unescaping HTML data-related codes before consumption. Otherwise, the bug is related to and originated from that software’s decoding algorithm.
Okay, we can close the case now and have a good sleep. =)