Merge pull request #174 from CURIOSSorg/security/fix-unsafe-html-rendering

RichardLitt · web-flow · commit 0a7f556dd2b9 · 2026-04-07T15:59:37.000+12:00
Security: Disable unsafe HTML rendering in markdown
diff --git a/config.yaml b/config.yaml
@@ -161,7 +161,7 @@ googleAnalytics: ''
 markup:
   goldmark:
     renderer:
-      unsafe: true
+      unsafe: false  # Security: block dangerous HTML tags like <script>, <iframe>
 minify:
   disableHTML: true
 params:
