Default table alignment triggers common Content Security Policy

gohugoio / hugo

The world’s fastest framework for building websites.

https://gohugo.io

Apache License 2.0

75k stars 7.47k forks source link

Default table alignment triggers common Content Security Policy #12890

Closed rtfmkiesel closed 6 hours ago

rtfmkiesel commented 7 hours ago

The default option for table alignments is 'left'. Would it be possible to exclude the style attribute altogether, if no : is used to indicate the alignment?

Having inline style tags triggers a CSP which does not allow for style-src 'unsafe-inline';.

What version of Hugo are you using (`hugo version`)?

$ hugo version
hugo v0.135.0-f30603c47f5205e30ef83c70419f57d7eb7175ab+extended windows/amd64 BuildDate=2024-09-27T13:17:08Z VendorInfo=gohugoio

Does this issue reproduce with the latest release?

Yes

jmooring commented 6 hours ago

This is a duplicate of #12886 which is resolved by https://github.com/gohugoio/hugo/pull/12889.

You can also control rendering of Markdown tables by creating a render hook. This will allow you to set left/right/center classes instead of using inline styles.

rtfmkiesel commented 5 hours ago

~~Thanks for the fast response, but it's not quite the issue I am describing.~~

Using your branch, I get the HTML of <td style=text-align:>test</td> when no : is used. This still triggers the CSP. The complete style attribute would need to be left out. Now, it's just an invalid style attribute.

~~Output: <td style=text-align:>test</td> Expected: <td>test</td>~~

Applied wrong patch, ignore

rtfmkiesel commented 5 hours ago

The render hook workaround works, thanks for the hint!

gohugoio / hugo

Default table alignment triggers common Content Security Policy #12890

What version of Hugo are you using (hugo version)?

Does this issue reproduce with the latest release?

What version of Hugo are you using (`hugo version`)?