Hugo

Raw HTML getting omitted in 0.60.0

When using hugo 0.60.0, raw HTML are now replaced with <!-- raw HTML omitted -->. Is there a way to not omitting them, or any smarter workaroune?

This the text in yaml:
description: This is line 1. <br /> this is line 2.

And now it’s being generated as:
<p>This is line 1.<!-- raw HTML omitted -->this is line 2.</p>

And this is expected:
<p>This is line 1.<br />this is line 2.</p>

1 Like

In your config enter:

[markup.goldmark.renderer]
unsafe= true

Also always read the Release Notes before upgrading to a new Hugo version.

3 Likes

@bep, I almost think there should be a warning in the console when building sites with 0.60.x about this (if one or more instances of unsafe HTML are detected and removed by the renderer, emit one warning), I feel like a ton of users will hit this issue and have trouble resolving it.

1 Like

Not only because of having trouble to resolve it: In my case, I read the release notes but thought it would be a non-issue for me as I thought I wouldn’t use HTML anywhere.

Turns out, I have some older articles converted over from the old Wordpress website which used HTML here and there, mostly for links and formatting instead of Markdown syntax. They displayed wrongly on the live website for a couple of days until I noticed. With a warning, I would have noticed directly.

1 Like

How dare you try to break your lines. You can revert back to Blackfriday thusly: https://git.habd.as/comfusion/after-dark/src/branch/master/bin/install#L91-L96

@bep Do you want to create a poll about changing the default of unsafe to true?

My reasoning is that whoever is adding HTML embedded in the Markdown content in their Hugo sites is knowingly doing that, and they would always need to set unsafe = true.

So far, I haven’t found a reason why one would need to set that to false.

What kind of risk do you foresee on a Hugo generated static site by leaving the unsafe default to false? (There are other means to prevent malicious code injections, like the use of CSP.)

2 Likes

I don’t believe a poll is even needed. It should be true and the config name changed because unsafe just looks… scary.

1 Like

I also believe that it should be true. The poll is just to see if there’s anyone really who really needs to be false.

You’re right that the “unsafe” just makes it look scary.

The poll should be between these two options:

  1. Allow HTML in Markdown content files.
  2. Disallow HTML in Markdown content files.
3 Likes

Request to make unsafe=true as default has already be opened by someone:

2 Likes

And the BDFL has spoken. These are the kinds of changes that make old WordPress websites look so [comment=23434]. Anyway, I’m happy to continue using Blackfriday until there’s a compelling reason to switch to an otherwise unproven library when Hugo should be past 1.0.

No.

This isn’t a popularity thing. This is easy to turn off for those who don’t want it, which would include every person that would vote. It’s not possible to turn on for those who don’t know about it.

See my comment here if you have further questions:

What about emitting a warning on omission though? To understand what happened I had to go into page source code, find a comment, then google that comment, then get here.

Instead of leaving a comment in source code Hugo should very obviously state what’s happening when it’s generating the site.

4 Likes

This seems like a good compromise if only when the verbose flag is passed. Gruber created Markdown as a superset of HTML and, as it stands, Hugo is no longer using Markdown.

Is there a way to allow “unsafety” on a page-by-page basis?

Something in the front-matter perhaps?

1 Like

No…

This! Just throw me a little warning that some content is being omitted, I’m not going to check 500 pages for little quirks after each Hugo update…

1 Like

hugo gets updated very often when I update my operating system. I expect my site to keep working if I don’t touch it, but it’s not the case. It would be very nice if there was a breaking changes page somewhere in gohugo.io so I don’t need to read thousands of changes in case something breaks some day.

The Release Notes mentions “if you have lots of inline HTML…”. I don’t, but my site is still broken because the shortcodes are HTML, so they all disappeared. I just wanted to change a few words in my site but it turned out to be much longer.

I noticed the shortcodes were gone, so I went to the documentation (I can’t read the last 20 release notes) to see if the syntax had changed, where I see that you can now use either {{< and >}} and {{% and %}}, or is it />}} and /%}}? both are shown there… and index .Params 0 is now .Get 0? But both ways are still shown without mentioning what is the old and the new way. Tried them all out… then finally noticed the raw HTML omitted messages…

I let someone else parse and convert this into issues if needed :slight_smile:

Happy holidays!

2 Likes