Hugo with a CMS for Open-publishing: security with Markdown Attributes

Hi there,

this is a follow-up on a previous post about using Hugo with a CMS for open-publishing.

To summarize, the original question was:

Is it safe to use Hugo and a CMS for open-publishing with the setting unsafe = true?

The answer was crystal clear:


Allright, so let’s use unsafe = false

But another important issue was raised by @pamubay:

Even if you set ‘unsafe = false’, the CMS user can trigger some Javascript:

​```html {onclick="alert('xss')" onmouseenter="alert('xss-onmouseenter')"}
<h1>Hello World</h1>

I checked the code on GitHub and found only these notes: #8215 - markup/goldmark: Add attributes support for blocks - no references to Javascript there.

I’m not in JS, so I’m not sure of the consequences. Can somebody enlighten me?
Is it an expected behavior, or should I raise an issue on GitHub?

Overall, is Hugo a good choice for Open-publishing?


1 Like

Perhaps you should raise an issue at the main Hugo repo.

However if the project will not need to provide code examples in content files, you can always disable standard syntax code blocks in the template with something like:

{{ replaceRE `\x60(.*?)\x60` `` .Content }}

Whenever backticks are found within a page’s .Content the above regular expression will capture everything between and remove it.

Hugo is an open source static site generator. Static HTML is always safer than dynamic.

So for a project that will have users with no technical skills or users who are not trustworthy I think that Hugo would serve your use case, as long as the project’s backend (config + templates) is not accessible to plain users.

1 Like

The vulnerability exists in attributes for blocks, titles, and code fences (```).

To disable attributes for blocks and titles:

block = false  # default is false
title = false  # default is true

You cannot disable attributes for code fences. Instead, disable code fence highlighting and use the highlight shortcode.

codeFences = false  # default is true

Two additional thoughts related to security…

First, make sure that Inline Shortcodes are disabled. This is the default setting.

enableInlineShortcodes = false  # default is false

Second, make sure your shortcodes are safe. In particular, nothing like this:

{{/* layouts/shortcodes/raw.html */}}
{{ .Inner }}

Because it would allow someone to do:

{{< raw >}}
{{< /raw >}}

Thank you for your precious pointers,

I double-checked the whole repo and this looks like an unexpected behavior: the related branch does not refer to such “feature” with Attributes. (See also the release notes and the discussion #7548)

I guess I should open an issue but my time (and my english!) is a bit narrow these days and this repo is sometime intimidating. Anyone feels like doing this?

Thanks a lot for your advanced knowledge. I would like to understand the reason behind this, but couldn’t find details. How to know precisely which attributes are affected?

I would prefer to stick to basic Markdown for two reasons:

  • The content is portable with basic Markdown
  • Shortcode syntax is too difficult for newcomers

That’s no big deal though, and if no simple solution exists I’ll add a component / button in NetlifyCMS and everything will be find :smiley:

Once again, thank you @alexandros and @jmooring for sharing, it’s good to know you’re around

Hugo 0.91 introduces new features around this topic:

(I had no time to check if it fixes everything though)

v0.92.1 and earlier do not address the concerns with JS attribute events.

Follow these:

1 Like

A fix was merged earlier today, thank you Joe for tackling this, and Bep for the quick review!

/cc @pamubay

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.