Adds the citeproc filter to the pandoc converter.
There are several PRs for it this feature already. However, I think
simply adding `--citeproc` is the cleanest way to enable this feature,
with the option to flesh it out later, e.g., in #7529.
Some PRs and issues attempt adding more config options to Hugo which
indirectly configure pandoc, but I think simply configuring Pandoc via
Pandoc itself is simpler, as it is already possible with two YAML
blocks -- one for Hugo, and one for Pandoc:
---
title: This is the Hugo YAML block
---
---
bibliography: assets/pandoc-yaml-block-bibliography.bib
...
Document content with @citation!
There are other useful options, e.g., #4800 attempts to use `nocite`,
which works out of the box with this PR:
---
title: This is the Hugo YAML block
---
---
bibliography: assets/pandoc-yaml-block-bibliography.bib
nocite: |
@*
...
Document content with no citations but a full bibliography:
## Bibliography
Other useful options are `csl: ...` and `link-citations: true`, which
set the path to a custom CSL file and create HTML links between the
references and the bibliography.
The following issues and PRs are related:
- Add support for parsing citations and Jupyter notebooks via Pandoc and/or Goldmark extension #6101
Bundles multiple requests, this PR tackles citation parsing.
- WIP: Bibliography with Pandoc #4800
Passes the frontmatter to Pandoc and still uses
`--filter pandoc-citeproc` instead of `--citeproc`.
- Allow configuring Pandoc #7529
That PR is much more extensive and might eventually supersede this PR,
but I think --bibliography and --citeproc should be independent
options (--bibliography should be optional and citeproc can always be
specified).
- Pandoc - allow citeproc extension to be invoked, with bibliography. #8610
Similar to #7529, #8610 adds a new config option to Hugo.
I think passing --citeproc and letting the users decide on the
metadata they want to pass to pandoc is better, albeit uglier.
This ommmit contains some security hardening measures for the Hugo build runtime.
There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".
For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.
These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.
You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.
The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.
```toml
[security]
enableInlineShortcodes = false
[security.exec]
allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']
[security.funcs]
getenv = ['^HUGO_']
[security.http]
methods = ['(?i)GET|POST']
urls = ['.*']
```
This commmit prepares for the addition of Goldmark as the new Markdown renderer in Hugo.
This introduces a new `markup` package with some common interfaces and each implementation in its own package.
See #5963
