Commit: "e41a06447d" (https://github.com/gohugoio/hugo/commit/e41a06447d) — Disallow HTML content by default Affected versions: all Hugo versions prior to v0.162.0. Fixed in: v0.162.0. Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under "/content" and every content adapter you load. Description. Hugo accepts content files in several markup formats. Files mapped to the "text/html" media type (typically ".html" files under "/content", or pages produced by a content adapter that sets "content.mediaType = "text/html"") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting. Mitigation. v0.162.0 introduces a "security.allowContent" whitelist with "text/html" denied by default. Sites that intentionally author HTML content can opt back in: [security] allowContent = ['.*'] This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.