Javascript code leaks into meta tags and RSS feed

[martinschneider]

I am not fully sure whether this behavior is caused by the gallery plugin, my theme or Hugo itself.

Most of my posts have a gallery on top (before any other content). This results in the description to look like this (from the RSS feed):

<description>
if (!jQuery) { alert("jquery is not loaded"); } $( document ).ready(() = { const gallery = $("#gallery-0"); let swipeboxInstance = null; gallery.on('jg.complete', () = { $(() = { $('.
</description>

This makes its way into the RSS feed, and the HTML meta tags which will be utilized when sharing on various social media sites.

My workaround is to add an explicit description for each post. However, I still think this is problematic because the default mechanism in many themes is to populate the description from the post content, and it appears that this doesn't filter out Javascript code.

Here's how Hugo populates og:description, and here's my theme's configuration. Finally, this is how Hugo populates the RSS description field.

[mfg92]

I had a look at it, but I dont know what I can do on my side to avoid this issue.

[oscarmlage]

I finally managed to fix it by using RawContent in the <description> tag of the feed to replace the gallery images, basically with a notice:

      <description>
            {{ .RawContent | replaceRE `{{<\s*gallery[^>]*>}}` "`[image not loaded in rss]`" | markdownify | htmlEscape | safeHTML }}
      </description>

I wrote a post about it in case it can be helpful.