v0.4.1
Patch Changes
-
Fix render hook templates receiving unescaped HTML in context fields. A
<script>tag inside a fenced code block, an&in a link URL,"in image alt text, or<beta>in a heading now display as text instead of rendering as live HTML.All
markup.*string values are HTML-escaped before the hook template runs, covering codeblock, link, image, and heading hooks. -
Fix raw HTML blocks inside blockquotes and tables rendering as live markup when blockquote or table render hooks are active. Alloy entity-encodes
<script>,<div>, and other HTML blocks inmarkup.innerbefore the hook template runs. Inline formatting like bold and emphasis renders normally. -
Heading
markup.innerpreserves goldmark’s inline formatting (<strong>,<em>) while escaping user-supplied raw HTML.markup.idis escaped unconditionally, covering both the auto-generated slug and the{id="..."}attribute override.