GHSA-c54g-xjwj-8g82

**Commit:** [e41a06447d](https://github.com/gohugoio/hugo/commit/e41a06447d) — _Disallow HTML content by default_ **Affected versions:** all Hugo versions prior to v0.162.0. **Fixed in:** v0.162.0. **Severity:** Low to Medium, depending on threat model. Not an issue if you fully trust every file under `/content` and every content adapter you load.

**Description.** Hugo accepts content files in several markup formats. Files mapped to the `text/html` media type (typically `.html` files under `/content`, or pages produced by a content adapter that sets `content.mediaType = "text/html"`) had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.

**Mitigation.** v0.162.0 introduces a `security.allowContent` whitelist with `text/html` denied by default. Sites that intentionally author HTML content can opt back in:

```toml [security] allowContent = ['.*'] ```

This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.