I was about to write a long github issue, but I think it’s better to be posted here with the solution:
TL;DR : blackfriday+syntax highlight=missing escaping of “<” and “>” in some case.
With Hugo 60, if you keep blackfriday, you need to know that syntax highlight is turned on by default with that version, so you probably need to specify in your config.toml:
[markup.highlight] codeFences = false
Now a few details if highlight stays “true” for codeFences:
(sorry for the screenshots, but GitHub/Discourse interprets both Markdown and html)
The following code:
Correctly produce with Goldmark:
But with blackfriday:
That bug appeared with Hugo 60.
With Hugo 59.1 and blackfriday the result was:
Sadly the solution is not just to “specify HTML for your code blocks”, because the missing escaping also appears in other situation:
Generated with blackfriday and Hugo from 60 to current 61:
So when we don’t specify the kind of code, or the language is unknown, or with indented code block, some escaping is now missing, specifically for “<” and “>”.
Thanks to the release notes, I saw the only relevant change: Hugo 60: “Config option for code highlighting of code fences in Markdown is now default on. This is what most people wants.”