Defend the software environment against ill effects
When a project includes content from unknown sources, we need to worry about content security.
The Hugo binary runs in a sandbox to offer maximal runtime security while rendering static sites. External dependencies are configured explicitly.
The security configuration file in config/_default contains the runtime security settings for Hugo.
Replacement codes let us avoid raw HTML in Markdown. A single partial replaces them with the inline tags lacking a syntax element in Goldmark.