This release fixes a security issue reported by @ejona86 (see #12411) that could allow XSS injection from Markdown content files if one of the internal link or image render hook templates added in Hugo 0.123.0 are enabled. You typically control and trust the content files, but according to Hugo's security model, we state that "template and configuration authors (you) are trusted, but the data you send in is not."
- markup/goldmark: Fix data race in the hugocontext wrapper 509ab08 @bep
- tpl: Escape .Title in built-in image and link render hooks 15a4b9b @bep
- tpl/tplimpl: Improve embedded templates 10a8448 @jmooring #12396
- SECURITY.md: Update link to security model 722c486 @ejona86
- modules: Fix potential infinite loop in module collection f40f50e @bep #12407