The world’s fastest framework for building websites.
This release fixes a security issue reported by @ejona86 (see #12411) that could allow XSS injection from Markdown content files if one of the internal link or image render hook templates added in Hugo 0.123.0 are enabled. You typically control and trust the content files, but according to Hugo's security model, we state that "template and configuration authors (you) are trusted, but the data you send in is not."
Some of the notable new features in this release:
.RenderShortcode
in a shortcode, typically used to resolve links and page resources relative to an included Page
.Luminance
to $image.Color
, allowing for sorting by relative luminance. e197c7b29 @bep #10450This release is built with Go 1.22.2 (#12351) which comes with a fix for security issue CVE-2023-45288. We don't see how that could be exploited in Hugo, but we do appreciate that people want a clean security report.
The new feature in this release is a new segments configuration section and a new --renderSegments
flag/config key. This release also updates to Go 1.22.1 that fixes a security issue in the template package that Hugo uses (CVE-2023-45289, see https://github.com/golang/go/issues/65697). We don't see how this could be exploited in Hugo, but we appreciate that Hugo users want to have a clean security report.