v0.4.1

Patch Changes

  • Fix render hook templates receiving unescaped HTML in context fields. A <script> tag inside a fenced code block, an & in a link URL, " in image alt text, or <beta> in a heading now display as text instead of rendering as live HTML.

    All markup.* string values are HTML-escaped before the hook template runs, covering codeblock, link, image, and heading hooks.

  • Fix raw HTML blocks inside blockquotes and tables rendering as live markup when blockquote or table render hooks are active. Alloy entity-encodes <script>, <div>, and other HTML blocks in markup.inner before the hook template runs. Inline formatting like bold and emphasis renders normally.

  • Heading markup.inner preserves goldmark’s inline formatting (<strong>, <em>) while escaping user-supplied raw HTML. markup.id is escaped unconditionally, covering both the auto-generated slug and the {id="..."} attribute override.