GHSA-q76j-gcg9-vxc6MediumDisclosed before NVD
Hugo: XSS via unescaped code-fence language in default code block renderer
📋 Description
Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the <code class="language-…" data-lang="…"> wrapper without HTML escaping. A fence info-string containing a quote and a <script> payload breaks out of the attribute and injects a live script element.
This is not an issue if you fully trust every file under /content and every content adapter you load.
🎯 Affected products1
- go/github.com/gohugoio/hugo:>= 0.60.0, < 0.163.3