MEDIUM

GHSA-q76j-gcg9-vxc6

Hugo: XSS via unescaped code-fence language in default code block renderer

Details

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the `<code class="language-…" data-lang="…">` wrapper without HTML escaping. A fence info-string containing a quote and a `<script>` payload breaks out of the attribute and injects a live script element.

This is not an issue if you fully trust every file under /content and every content adapter you load.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/gohugoio/hugo

Introduced in: 0.60.0 Fixed in: 0.163.3

Fix go get github.com/gohugoio/hugo@v0.163.3

References

https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6 [WEB]
https://github.com/gohugoio/hugo [PACKAGE]