Fix upstream Go templates bug with reversed key/value assignment

The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See https://github.com/golang/go/issues/59234 Fixes #11112
2025-08-21 21:35:28 +02:00 · 2023-06-15 16:34:16 +02:00
parent 0f989d5e21
commit ee359df172
24 changed files with 276 additions and 143 deletions
--- a/tpl/tplimpl/integration_test.go
+++ b/tpl/tplimpl/integration_test.go
@@ -2,6 +2,7 @@ package tplimpl_test

 import (
 	"path/filepath"
+	"strings"
 	"testing"

 	qt "github.com/frankban/quicktest"
@@ -160,3 +161,70 @@ title: "S3P1"
 	b.AssertFileContent("public/s2/p1/index.html", `S2P1`)
 	b.AssertFileContent("public/s3/p1/index.html", `S3P1`)
 }
+
+func TestGoTemplateBugs(t *testing.T) {
+
+	t.Run("Issue 11112", func(t *testing.T) {
+		t.Parallel()
+
+		files := `
+-- config.toml --
+-- layouts/index.html --
+{{ $m := dict "key" "value" }}
+{{ $k := "" }}
+{{ $v := "" }}
+{{ range $k, $v = $m }}
+{{ $k }} = {{ $v }}
+{{ end }}
+	`
+
+		b := hugolib.NewIntegrationTestBuilder(
+			hugolib.IntegrationTestConfig{
+				T:           t,
+				TxtarString: files,
+			},
+		)
+		b.Build()
+
+		b.AssertFileContent("public/index.html", `key = value`)
+	})
+
+}
+
+func TestSecurityAllowActionJSTmpl(t *testing.T) {
+
+	filesTemplate := `
+-- config.toml --
+SECURITYCONFIG
+-- layouts/index.html --
+<script>
+var a = §§{{.Title }}§§;
+</script>
+	`
+
+	files := strings.ReplaceAll(filesTemplate, "SECURITYCONFIG", "")
+
+	b, err := hugolib.NewIntegrationTestBuilder(
+		hugolib.IntegrationTestConfig{
+			T:           t,
+			TxtarString: files,
+		},
+	).BuildE()
+
+	b.Assert(err, qt.Not(qt.IsNil))
+	b.Assert(err.Error(), qt.Contains, "{{.Title}} appears in a JS template literal")
+
+	files = strings.ReplaceAll(filesTemplate, "SECURITYCONFIG", `
+[security]
+[security.gotemplates]
+allowActionJSTmpl = true		
+`)
+
+	b = hugolib.NewIntegrationTestBuilder(
+		hugolib.IntegrationTestConfig{
+			T:           t,
+			TxtarString: files,
+		},
+	).Build()
+
+}