Do not warn on potentially unsafe HTML comments when unsafe=false

bep · bep · commit e2bd987c2d6f · 2025-01-21T10:47:34.000+01:00
We will still not render these comments, so from a safety perspective this is the same, but HTML comments are very common also inside Markdown and too useful to throw away. Updates gohugoio#13278
diff --git a/markup/goldmark/goldmark_integration_test.go b/markup/goldmark/goldmark_integration_test.go
@@ -851,3 +851,54 @@ title: "p1"
 	b.AssertFileContent("public/p1/index.html", "! <!-- raw HTML omitted -->")
 	b.AssertLogContains("! WARN")
 }
+
+// See https://github.com/gohugoio/hugo/issues/13278#issuecomment-2603280548
+func TestGoldmarkRawHTMLCommentNoWarning(t *testing.T) {
+	files := `
+-- hugo.toml --
+disableKinds = ['home','rss','section','sitemap','taxonomy','term']
+markup.goldmark.renderer.unsafe = false
+-- content/p1.md --
+---
+title: "p1"
+---
+# HTML comments
+
+## Simple 
+<!-- This is a comment -->
+
+    <!-- This is a comment indented -->
+
+	**Hello**<!-- This is a comment indented with markup surrounding. -->_world_.
+## With HTML
+
+<!-- <p>This is another paragraph </p> -->
+
+## With HTML and JS
+
+<!-- <script>alert('hello');</script> -->
+
+## With Block
+
+<!--
+<p>Look at this cool image:</p>
+<img border="0" src="pic_trulli.jpg" alt="Trulli">
+-->
+
+XSS 
+
+<!-- --><script>alert("I just escaped the HTML comment")</script><!-- -->
+
+-- layouts/_default/single.html --
+{{ .Content }}
+`
+
+	b := hugolib.Test(t, files, hugolib.TestOptWarn())
+
+	b.AssertFileContent("public/p1/index.html", "! <!-- raw HTML omitted -->")
+	b.AssertLogContains("! Raw HTML omitted")
+
+	b = hugolib.Test(t, strings.ReplaceAll(files, "markup.goldmark.renderer.unsafe = false", "markup.goldmark.renderer.unsafe = true"), hugolib.TestOptWarn())
+	b.AssertFileContent("public/p1/index.html", "<!-- This is a comment -->")
+	b.AssertLogContains("! WARN")
+}
diff --git a/markup/goldmark/hugocontext/hugocontext.go b/markup/goldmark/hugocontext/hugocontext.go
@@ -174,6 +174,9 @@ func (r *hugoContextRenderer) renderHTMLBlock(
 	w util.BufWriter, source []byte, node ast.Node, entering bool,
 ) (ast.WalkStatus, error) {
 	n := node.(*ast.HTMLBlock)
+	isHTMLComment := func(b []byte) bool {
+		return len(b) > 4 && b[0] == '<' && b[1] == '!' && b[2] == '-' && b[3] == '-'
+	}
 	if entering {
 		if r.Unsafe {
 			l := n.Lines().Len()
@@ -188,16 +191,24 @@ func (r *hugoContextRenderer) renderHTMLBlock(
 				r.Writer.SecureWrite(w, linev)
 			}
 		} else {
-			r.logRawHTMLEmittedWarn(w)
-			_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+			l := n.Lines().At(0)
+			v := l.Value(source)
+			if !isHTMLComment(v) {
+				r.logRawHTMLEmittedWarn(w)
+				_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+			}
 		}
 	} else {
 		if n.HasClosure() {
 			if r.Unsafe {
 				closure := n.ClosureLine
 				r.Writer.SecureWrite(w, closure.Value(source))
 			} else {
-				_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+				l := n.Lines().At(0)
+				v := l.Value(source)
+				if !isHTMLComment(v) {
+					_, _ = w.WriteString("<!-- raw HTML omitted -->\n")
+				}
 			}
 		}
 	}
