This template file from the module hugo-mod-replacements contains the regular expressions for all replacement codes.
There has been a clarifying discussion if this template may open a loophole for script attacks. I couldn’t see it myself at first, but the bottom line is simply: No.
Goldmark discards all HTML in the Markdown and also in the replacement codes with the default setting unsafe: false. These regular expressions are applied to the rendered Markdown, which gets cleared of all HTML tags before it’s transformed into HTML itself.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| {{
.
| replaceRE `\{\^([^\}]*)\}` "<sup>$1</sup>"
| replaceRE `\{\_([^\}]*)\}` "<sub>$1</sub>"
| replaceRE `\{\~([^\}]*)\}` "<kbd>$1</kbd>"
| replaceRE `\{\!([^\}]*)\}` "<mark>$1</mark>"
| replaceRE `\{\=([^\}]*)\}` "<cite>$1</cite>"
| replaceRE `\{\+([^\}]*)\}` "<ins>$1</ins>"
| replaceRE `\{\$([^\}]*)\}` "<var>$1</var>"
| replaceRE `\{s\s([^\}]*)\}` "<small>$1</small>"
| replaceRE `\{r\s([^\}]*)\}` "<span style='float: right;'>$1</span>"
| replaceRE `\{([a-z]{2})\s([^\}]*)\}` "<span lang='$1'>$2</span>"
| replaceRE `\{\/\}` " <br class='br-cond'>"
| replaceRE `\{w\}` "<wbr>"
| replaceRE `\s?( — |—)\s?` " — "
| replaceRE `(<p[^>]*>|<li[^>]*>)([“«»„])` "$1<span class='hang-quote'>$2</span>"
| safeHTML
}}
|