v0.4.1
v0.4.1 (2026-07-11)
-
Fix raw HTML blocks inside blockquotes and tables rendering as live markup when blockquote or table render hooks are active. Alloy entity-encodes
<script>,<div>, and other HTML blocks before the hook template runs. Inline formatting like bold and emphasis renders normally. -
Fix render hook templates receiving unescaped HTML in context fields. Alloy HTML-escapes all
markup.*string values before the hook template runs, covering codeblock, link, image, and heading hooks. A<script>tag inside a fenced code block, an&in a link URL,"in image alt text, or<beta>in a heading display as code text instead of executing or rendering as HTML.Heading
markup.innerpreserves goldmark's own formatting (<strong>,<em>) while escaping user-supplied raw HTML. Headingmarkup.idis escaped unconditionally, covering both the auto-generated slug path and the{id="..."}attribute override which can contain raw&,<, and".