Hugo

Raw HTML getting omitted in 0.60.0

When using hugo 0.60.0, raw HTML are now replaced with <!-- raw HTML omitted -->. Is there a way to not omitting them, or any smarter workaroune?

This the text in yaml:
description: This is line 1. <br /> this is line 2.

And now it’s being generated as:
<p>This is line 1.<!-- raw HTML omitted -->this is line 2.</p>

And this is expected:
<p>This is line 1.<br />this is line 2.</p>

1 Like

In your config enter:

[markup.goldmark.renderer]
unsafe= true

Also always read the Release Notes before upgrading to a new Hugo version.

3 Likes

@bep, I almost think there should be a warning in the console when building sites with 0.60.x about this (if one or more instances of unsafe HTML are detected and removed by the renderer, emit one warning), I feel like a ton of users will hit this issue and have trouble resolving it.

1 Like

Not only because of having trouble to resolve it: In my case, I read the release notes but thought it would be a non-issue for me as I thought I wouldn’t use HTML anywhere.

Turns out, I have some older articles converted over from the old Wordpress website which used HTML here and there, mostly for links and formatting instead of Markdown syntax. They displayed wrongly on the live website for a couple of days until I noticed. With a warning, I would have noticed directly.

1 Like

How dare you try to break your lines. You can revert back to Blackfriday thusly: https://git.habd.as/comfusion/after-dark/src/branch/master/bin/install#L91-L96

@bep Do you want to create a poll about changing the default of unsafe to true?

My reasoning is that whoever is adding HTML embedded in the Markdown content in their Hugo sites is knowingly doing that, and they would always need to set unsafe = true.

So far, I haven’t found a reason why one would need to set that to false.

What kind of risk do you foresee on a Hugo generated static site by leaving the unsafe default to false? (There are other means to prevent malicious code injections, like the use of CSP.)

2 Likes

I don’t believe a poll is even needed. It should be true and the config name changed because unsafe just looks… scary.

1 Like

I also believe that it should be true. The poll is just to see if there’s anyone really who really needs to be false.

You’re right that the “unsafe” just makes it look scary.

The poll should be between these two options:

  1. Allow HTML in Markdown content files.
  2. Disallow HTML in Markdown content files.
3 Likes

Request to make unsafe=true as default has already be opened by someone:

1 Like

And the BDFL has spoken. These are the kinds of changes that make old WordPress websites look so [comment=23434]. Anyway, I’m happy to continue using Blackfriday until there’s a compelling reason to switch to an otherwise unproven library when Hugo should be past 1.0.

No.

This isn’t a popularity thing. This is easy to turn off for those who don’t want it, which would include every person that would vote. It’s not possible to turn on for those who don’t know about it.

See my comment here if you have further questions:

What about emitting a warning on omission though? To understand what happened I had to go into page source code, find a comment, then google that comment, then get here.

Instead of leaving a comment in source code Hugo should very obviously state what’s happening when it’s generating the site.

1 Like

This seems like a good compromise if only when the verbose flag is passed. Gruber created Markdown as a superset of HTML and, as it stands, Hugo is no longer using Markdown.

Is there a way to allow “unsafety” on a page-by-page basis?

Something in the front-matter perhaps?

1 Like

No…

Why that would allow you to incrementally upgrade your content. But why would anyone want to do that when they could continue using an older version of Hugo?