Hugo: XSS via text/html content files
🔗 CVE IDs covered (1)
📋 Description
Commit: e41a06447d — Disallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.
Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.
Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:
[security]
allowContent = ['.*']
This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.
🎯 Affected products1
- go/github.com/gohugoio/hugo:< 0.162.0