Reputation: 8028
Hugo dynamic decide "unsafe" <!-- raw HTML omitted -->
I use goldmark as the format.
And I know I can edit the config.toml files to stop the behavior about raw HTML omitted with
[markup.goldmark.renderer]
unsafe = true
My question is, can I use the setting above in the front matter (not the config.toml)?
For example, If I have many markdown files and I want one of them applying unsafe = true and others are not, does it is possible?
If not, can you explain why there is a need for a special distinction under the static site and is it possible to be attacked because of this? (This is actually what I really care about; otherwise, I am very willing to directly set the whole domain to turn on the insecure mode so that markdown is more comprehensive).
Upvotes: 1
Views: 1685
Answers (2)
Reputation: 8028
If you are not sure about the risk of setting the unsafe equal true, then you can set it as the default(false) and then use the shortcode to help you. for example,
I create a file raw_html.html
layouts/shortcodes/raw_html.html
{{.Inner}}
my_demo.md
## bootstrap color
{{< raw_html >}}
<p class="p-3 mb-2 bg-primary text-white">.bg-primary</p>
<p class="p-3 mb-2 bg-secondary text-white">.bg-secondary</p>
{{< /raw_html >}}
## inside link
brabrabra {{<raw_html>}}<a name="my_color">nice color</a>{{</raw_html>}} foo foo
[go to nice-color](#my_color)
## table
| {{<raw_html>}}<div style="width:64px">name</div>{{</raw_html>}} | Description |
| ---- | ---- |
| xxxxx| OOOOO|
output
<head> <!-- the head is extra code for getting the bootstrap style -->
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ygbV9kiqUc6oa4msXn9868pTtWMgiQaeYH7/t7LECLbyPA2x65Kgf80OJFdroafW" crossorigin="anonymous"></script>
</head>
<h2 id="bootstrap-color">bootstrap color</h2>
<p class="p-3 mb-2 bg-primary text-white">.bg-primary</p>
<p class="p-3 mb-2 bg-secondary text-white">.bg-secondary</p>
<h2 id="inside-link">inside link</h2>
<p>brabrabra <a name="my_color">nice color</a> foo foo</p>
<a href="#my_color">go to nice-color</a>
<h2 id="table">table</h2>
<table><thead><tr><th><div style="width:64px">name</div></th>
<th>Description</th></tr></thead>
<tbody><tr><td>xxxxx</td><td>OOOOO</td></tr></tbody>
</table>Upvotes: 3
Reputation: 777
To answer the question: "Can unsafe mode be applied partially, i.e. in the front matter in Hugo?"
No, it is not (and should not be) possible to define unsafeHTML in front matter. Allowing content creators to override the security model would be self-defeating.
Upvotes: 0
Related Questions
- With Hugo, can we use HTML code in a md file?
- HUGO: was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff)
- Escape HTML code with TWIG Markdown
- Hugo: do not escape HTML in a page .Title when generating <title> tag in the header.html partial
- How to nest shortcodes with Hugo ? raw HTML ommitted
- Can I escape a shortcode from a Hugo theme from blogdown
- HUGO: Insert JS in between markdown Content
- Blogdown and hugo not parsing html tags in markdown
- Write a link that does not get converted to an <a/> tag in a markdownified string with hugo
- Ignore unsafe html in Angular