Add support for blockquote alerts in layout files

Signed-off-by: chibbyalucard <[email protected]>

Author: chibbyalucard

README.md

@@ -122,24 +122,156 @@ icon:
 > [!NOTE]
 > You can highlight important information in your articles or docs using different types of callouts (also known as admonitions – or alerts, as used in [the Hugo docs](https://gohugo.io/render-hooks/blockquotes/#alerts)).
 
-The examples below use the same syntax as in Github Markdown. The template responsible for rendering them is at `site/layouts/_default/_markup/render-blockquote.html`
+For compatibility with both content and layout files, we use a mix of shortcodes and partials to display blockquote alerts. Partials work in layout, but not content files. Shortcodes work in content, but not layout files. Use the partial in layout files, and the shortcode (which internally calls the partial) in content files.
 
+The partial is at `site/layouts/partials/blockquote-alert.html`, and the shortcode is at `site/layouts/shortcodes/blockquote-alert.html`.
+
+There are five available alert types as shown in the examples below:
+
+- note
+- tip
+- important
+- warning
+- caution
+
+Omit the `title` parameter to keep the alert type as the default title (for example, a note alert will have "Note" as its title):
+
+```md
+<!-- Shortcodes in content files -->
+
+{{< blockquote-alert type="note" title="Optional custom title">}}
+Useful information that users should know, even when skimming content.
+{{< /blockquote-alert >}}
+
+{{< blockquote-alert type="tip" title="Optional custom title">}}
+Helpful advice for doing things better or more easily.
+{{< /blockquote-alert >}}
+
+{{< blockquote-alert type="important" title="Optional custom title">}}
+Key information users need to know to achieve their goal.
+{{< /blockquote-alert >}}
+
+{{< blockquote-alert type="warning" title="Optional custom title">}}
+Urgent info that needs immediate user attention to avoid problems.
+{{< /blockquote-alert >}}
+
+{{< blockquote-alert type="caution" title="Optional custom title">}}
+Advises about risks or negative outcomes.
+{{< /blockquote-alert >}}
 ```
-> [!NOTE]
-> Useful information that users should know, even when skimming content.
 
-> [!TIP]
-> Helpful advice for doing things better or more easily.
+In layout files, call the partial directly. Just like shortcode content, anything passed to the  `content` parameter is parsed as Markdown. To pass raw HTML instead, use the `html` parameter. Again, the title parameter is optional and will default to the alert type:
 
-> [!IMPORTANT]
-> Key information users need to know to achieve their goal.
+```html
+<!-- Partials in layout files -->
+
+<!-- Anything passed via `content` is interpreted as Markdown -->
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "note"
+    "title" "Optional custom title"
+    "content" "Useful information that users should know, even when skimming content."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "tip"
+    "title" "Optional custom title"
+    "content" "Helpful advice for doing things better or more easily."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "important"
+    "title" "Optional custom title"
+    "content" "Key information users need to know to achieve their goal."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "warning"
+    "title" "Optional custom title"
+    "content" "Urgent info that needs immediate user attention to avoid problems."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "caution"
+    "title" "Optional custom title"
+    "content" "Advises about risks or negative outcomes."
+) }}
+```
+
+In addition to simple string content as shown above, you can also pass in complex nested content with multiple paragraphs and elements:
 
-> [!WARNING]
-> Urgent info that needs immediate user attention to avoid problems.
+```md
+<!-- Shortcode example with more complex content -->
+
+{{< blockquote-alert type="tip" title="Optional custom Title" >}}
+This is a tip with **bold text** and _italic_ text.
+
+This is a second paragraph in the same alert.
+
+- List item 1
+- List item 2
+{{< /blockquote-alert >}}
+```
+
+You can do similar in partials. These are all valid options. Additionally, you can assign content to a variable before passing it in, which helps with formatting in longer templates:
+
+```html
+<!-- You can wrap your markdown content in backticks if it doesn't itself contain backticks -->
+<!-- Note that indented lines could be interpreted as a preformatted code block. -->
+{{ $alertContent := `This is a tip with **bold text** and _italic_ text.
+
+This is a second paragraph in the same alert.
+            
+- List item 1
+- List item 2
+`}}
+
+{{ partial "blockquote-alert.html" (dict
+  "type" "tip"
+  "title" "Optional custom title"
+  "content" $alertContent
+) }}
+
+<!-- Concatenate multi-line strings (markdown) -->
+{{ $alertContent := add
+  "This is a tip with **bold text** and _italic_ text.\n\n"
+  "This is a second paragraph in the same alert.\n"
+  "- List item 1\n"
+  "- List item 2\n\n"
+  "`Here's some text in backticks.`"
+}}
+
+{{ partial "blockquote-alert.html" (dict
+  "type" "tip"
+  "title" "Optional custom title"
+  "content" $alertContent
+) }}
+
+<!-- Pass HTML with nested elements -->
+{{ partial "blockquote-alert" (dict 
+    "type" "caution" 
+    "title" "Be Careful!" 
+    "html" "<p>This is a <strong>caution</strong> message.</p><p>It has multiple paragraphs.</p>"
+) }}
+```
+
+
+> [!IMPORTANT]
+> When working with complex content, make sure to handle line breaks properly within the strings passed to the `content` or `html` parameters. For example, the following will throw a parse error (`html: overlay: parse failed unterminated quoted string in action`):
 
-> [!CAUTION]
-> Advises about risks or negative outcomes.
 ```
+{{ partial "blockquote-alert" (dict
+    "type" "caution"
+    "title" "Be Careful!"
+    "html" "<p>This is a <strong>caution</strong> message.</p>
+    <p>It has multiple paragraphs.</p>"
+) }}
+```
+
+To avoid this, you can use either of the following options:
+
+- Keep everything on a single line
+- Use string concatenation (whether in a variable or directly)
 
 #### Layouts
 For controlling what HTML is rendered, you need to work with the site templates. In the directory, `site/layouts/`, you'll find a number of HTML files with various template tags. The first file to check out is `site/layouts/_default/baseof.html` - this is the base layout Hugo uses to build your site that templates extend. Hugo has a lookup order for associating a content entry to a template. A single entry whose type is post (`type: post`), Hugo will look for a layout in `site/layouts/post/single.html`, and if that does not exist, it will fallback to `site/layouts/_default/single.html`. 

site/content/blog/2025-04-02-zap-updates-march-2025/index.md

@@ -15,8 +15,9 @@ authors:
 
 ## Highlights
 
-> [!IMPORTANT]
-> The big news last month was the release of [2.16.1](/blog/2025-03-25-zap-2-16-1/)!
+{{< blockquote-alert type="important">}}
+The big news last month was the release of [2.16.1](/blog/2025-03-25-zap-2-16-1/)!
+{{< /blockquote-alert >}}
 
 As part of this release the [Script Console](/docs/desktop/addons/script-console/) now uses the main 
 [Output](/docs/desktop/ui/tabs/output/) tab instead of its own "Script Output" panel.
@@ -45,8 +46,9 @@ The following significant changes have been made to this website:
 * A new [Script Security](/docs/getting-further/script-security/) advanced guide
 * Even more [Authentication Tests](/docs/scans/auth/)
 
-> [!NOTE]
-> We now have the option to highlight important information, as demonstrated here!
+{{< blockquote-alert type="note">}}
+We now have the option to highlight important information, as demonstrated here!
+{{< /blockquote-alert >}}
 
 ## GitHub Pulse
 Here are some statistics for the two main ZAP repositories:

site/content/blog/2025-04-09-portswigger-labs-broken-brute-force-protection-ip-block/index.md

@@ -61,12 +61,13 @@ Copy-paste the lab URL into the *URL to explore* field and launch your browser w
 
 ![launch-test-site-ZAP-configured-browser.png](images/launch-test-site-ZAP-configured-browser.png)
 
-> [!NOTE]
-> If you have any issues launching your browser from ZAP, see the following pages for help. ZAP uses add-ons to enhance its core features, including ones which provide webdrivers for interfacing with supported browsers. These are installed by default and expose some configurable options:
->
-> 1. [How can I fix 'browser was not found'?](/faq/how-can-i-fix-browser-was-not-found/) - ZAP Docs (FAQ)
-> 2. [Manual Explore](/docs/desktop/addons/quick-start/#manual-explore) - ZAP Docs
-> 3. [Selenium](/docs/desktop/addons/selenium/) - ZAP Docs
+{{< blockquote-alert type="note">}}
+If you have any issues launching your browser from ZAP, see the following pages for help. ZAP uses add-ons to enhance its core features, including ones which provide webdrivers for interfacing with supported browsers. These are installed by default and expose some configurable options:
+
+1. [How can I fix 'browser was not found'?](/faq/how-can-i-fix-browser-was-not-found/) - ZAP Docs (FAQ)
+2. [Manual Explore](/docs/desktop/addons/quick-start/#manual-explore) - ZAP Docs
+3. [Selenium](/docs/desktop/addons/selenium/) - ZAP Docs
+{{< /blockquote-alert >}}
 
 Assuming you’ve opened the lab in a browser configured to proxy through ZAP, let’s try to log in with a random password. We want to capture a POST request we can work with in ZAP. I’ll try “randompass”. We’re notified that this is an “Incorrect password”, which is expected:
 
@@ -96,8 +97,9 @@ After one minute, we can indeed make more login attempts. The idea is that if we
 
 If we enter our own credentials, `wiener:peter`, on every third login attempt, the IP block never activates. Each successful login resets the counter tracking the number of failed login attempts. We can keep going until we’ve tried enough passwords from our wordlist to find the right one for Carlos' account.
 
-> [!NOTE]
-> This bypass — taking advantage of a logic flaw to reset the failure counter — enables us to brute-force Carlos’ password and successfully solve this lab. Although not the point of the lab, we can also wait out the IP block since we’re dealing with only a few credentials. This is covered in “Method 2: Wait Out the IP Block”.
+{{< blockquote-alert type="note">}}
+This bypass — taking advantage of a logic flaw to reset the failure counter — enables us to brute-force Carlos’ password and successfully solve this lab. Although not the point of the lab, we can also wait out the IP block since we’re dealing with only a few credentials. This is covered in “Method 2: Wait Out the IP Block”.
+{{< /blockquote-alert >}}
 
 What about changing our IP address? I used the [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For) header successfully in another lab. But the server here appears to block IPs based on the client's actual IP address (determined by the network layer rather than HTTP headers from the application layer), which makes sense in the context of rate-limiting. Rotating IP addresses via a proxy or VPN could work, but we won’t explore that here.
 
@@ -564,8 +566,9 @@ All functions, except the `log` function, are part of a required interface that
 
 ![implementation-error.png](images/implementation-error.png)
 
-> [!NOTE]
-> Refer to the default templates for the interfaces required for each script type. You can find these in the Templates section of the Scripts tab. They include documentation comments describing each function and its parameters. You can also create new scripts from the templates. 
+{{< blockquote-alert type="note">}}
+Refer to the default templates for the interfaces required for each script type. You can find these in the Templates section of the Scripts tab. They include documentation comments describing each function and its parameters. You can also create new scripts from the templates.
+{{< /blockquote-alert >}}
 
 You can save the file now. Also, check that the script is enabled, as disabled scripts won’t be available for selection when needed. If you missed the *Enable* checkbox earlier, you can right-click the filename in the *Scripts* tab and select *Enable Script(s)*.
 
@@ -583,10 +586,11 @@ After you open the *Add Payload* dialog, you can add the Payload Generator scrip
 
 Save the payload and return to the main Fuzzer dialog. Then, run the Fuzzer with *Start Fuzzer*.
 
-> [!IMPORTANT]
-> You might notice that even though the payloads are generated correctly (as the logs in the script output panel show), the requests are sent in the wrong order. This causes an unexpected IP block early on. As a result, most of the requests are rejected with the message: `You have made too many incorrect login attempts. Please try again in 1 minute(s).`
->
-> This is due to the Fuzzer’s concurrency settings. You can enable sequential execution by setting the number of execution threads to 1. However, this slows down the Fuzzer a great deal. An alternative is to throttle requests with a small delay of 100–200 milliseconds. See [Options Fuzzer screen](/docs/desktop/addons/fuzzer/options/) for more detail.
+{{< blockquote-alert type="important">}}
+You might notice that even though the payloads are generated correctly (as the logs in the script output panel show), the requests are sent in the wrong order. This causes an unexpected IP block early on. As a result, most of the requests are rejected with the message: `You have made too many incorrect login attempts. Please try again in 1 minute(s).`
+
+This is due to the Fuzzer’s concurrency settings. You can enable sequential execution by setting the number of execution threads to 1. However, this slows down the Fuzzer a great deal. An alternative is to throttle requests with a small delay of 100–200 milliseconds. See [Options Fuzzer screen](/docs/desktop/addons/fuzzer/options/) for more detail.
+{{< /blockquote-alert >}}
 
 You can skip over the next section and head to [Have Username, Got Password](#have-username-got-password).
 
@@ -715,8 +719,9 @@ You can optionally move the script to the top of the processor list. Then, run t
 
 Once the Fuzzer is done, we can inspect the results. We’re looking for indications of a successful login. So, we’ll sort the results in descending order using the status code column (simply “*Code”* in the UI).
 
-> [!NOTE]
-> Both of these solutions are valid. As you might have noticed if you’ve solved a lab more than once, different lab instances can have different password solutions. So, you could see different passwords than shown below.
+{{< blockquote-alert type="note">}}
+Both of these solutions are valid. As you might have noticed if you’ve solved a lab more than once, different lab instances can have different password solutions. So, you could see different passwords than shown below.
+{{< /blockquote-alert >}}
 
 ### Method 1: Interleave Wordlists With Valid Credentials
 

site/content/docs/getting-further/script-security.md

@@ -22,8 +22,9 @@ For more details on ZAP’s security posture see the
 ### Script Capabilities
 As noted on the [Script Console](/docs/desktop/addons/script-console/) page:
 
-> [!WARNING]
-> Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
+{{< blockquote-alert type="warning">}}
+Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
+{{< /blockquote-alert >}}
 
 All scripts can call other scripts and any command line tools that are accessible to them based on OS permissions.
 Scripts can access any online services unless restricted by firewalls or similar.

site/content/faq/somethings-not-working-what-should-i-do.md

@@ -63,5 +63,6 @@ You can chat with the ZAP team on [Slack](/slack/), if you have not already join
 You can raise issues (bugs or new features) at the [issue
 tracker](https://github.com/zaproxy/zaproxy/issues/new/choose).
 
-> [!WARNING]
-> Please do not ask questions as issues - they will be closed and you will be redirected to the [ZAP user group](https://groups.google.com/group/zaproxy-users).
+{{< blockquote-alert type="warning">}}
+Please do not ask questions as issues - they will be closed and you will be redirected to the [ZAP user group](https://groups.google.com/group/zaproxy-users).
+{{< /blockquote-alert >}}

site/layouts/page/download.html

@@ -75,6 +75,19 @@ <h2 id="main">{{ .title }}</h2>
                 Next to it, if you trust the downloaded installer, you can click <strong>Open anyway</strong>.
             </div>
           </blockquote>
+
+
+          
+
+          
+            
+            
+          {{ partial "blockquote-alert.html" (dict
+          "type" "warning"
+          "html" "<p>This is a <strong>caution</strong> message.</p><p>It has multiple paragraphs.</p>"
+          ) }}
+
+          
       </div>
   </section>
 

site/layouts/partials/blockquote-alert.html

@@ -0,0 +1,43 @@
+{{ $emojis := dict
+"caution" ":bangbang:"
+"important" ":information_source:"
+"note" ":memo:"
+"tip" ":bulb:"
+"warning" ":warning:"
+}}
+
+{{ $type := .type | default "note" }}
+{{ $title := .title | default "" }}
+{{ $content := .content | default "" }}
+{{ $html := .html | default "" }}
+
+{{/* Handle inner content from shortcodes */}}
+{{ if .inner }}
+{{ $content = .inner }}
+{{ end }}
+
+{{ if $type }}
+<blockquote class="alert alert-{{ $type }}">
+    <p class="alert-heading">
+        {{ transform.Emojify (index $emojis $type) }}
+        {{ if $title }}
+        {{ $title }}
+        {{ else }}
+        {{ or (i18n $type) (title $type) }}
+        {{ end }}
+    </p>
+    <div class="alert-content">
+        {{ if $html }}
+        {{ $html | safeHTML }}
+        {{ else if $content }}
+        {{ $content | markdownify }}
+        {{ else }}
+        {{ i18n "no-content" }}
+        {{ end }}
+    </div>
+</blockquote>
+{{ else }}
+<blockquote>
+    {{ $content | markdownify }}
+</blockquote>
+{{ end }}

site/layouts/shortcodes/blockquote-alert.html

@@ -0,0 +1,9 @@
+{{ $type := .Get "type" | default "note" }}
+{{ $title := .Get "title" | default "" }}
+{{ $inner := .Inner }}
+
+{{ partial "blockquote-alert" (dict
+  "type" $type
+  "title" $title
+  "inner" $inner
+) }}