Update dependency gohugoio/hugo to v0.125.3 (!217) · Merge requests · Iron Bank Containers / Opensource / gohugo / hugo

Ghost User requested to merge renovate/gohugoio-hugo-0.x into development Apr 23, 2024

This MR contains the following updates:

Package	Update	Change
gohugoio/hugo	patch	`v0.125.2` -> `v0.125.3`

Release Notes

gohugoio/hugo (gohugoio/hugo)

`v0.125.3`

Compare Source

This release fixes a security issue reported by @ejona86 (see #12411) that could allow XSS injection from Markdown content files if one of the internal link or image render hook templates added in Hugo 0.123.0 are enabled. You typically control and trust the content files, but according to Hugo's security model, we state that "template and configuration authors (you) are trusted, but the data you send in is not."

markup/goldmark: Fix data race in the hugocontext wrapper 509ab08 @bep
tpl: Escape .Title in built-in image and link render hooks 15a4b9b @bep
tpl/tplimpl: Improve embedded templates 10a8448 @jmooring #12396
SECURITY.md: Update link to security model 722c486 @ejona86
modules: Fix potential infinite loop in module collection f40f50e @bep #12407

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Update dependency gohugoio/hugo to v0.125.3

Release Notes

v0.125.3

Configuration

Merge request reports

`v0.125.3`