From d80bf61b7fe5c5cfda4c3eb07feda39b4120b478 Mon Sep 17 00:00:00 2001
From: gzagatti <gzagatti@users.noreply.github.com>
Date: Mon, 11 Jan 2021 16:46:31 +0800
Subject: [PATCH] Fixes #7698.

markup: Allow installed arbitrary Asciidoc extension via path validation.
---
 content/en/content-management/formats.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content/en/content-management/formats.md b/content/en/content-management/formats.md
index 576ce2fa3..5654be7f0 100644
--- a/content/en/content-management/formats.md
+++ b/content/en/content-management/formats.md
@@ -100,6 +100,8 @@ Below are all the AsciiDoc related settings in Hugo with their default values:
 
 {{< code-toggle config="markup.asciidocExt" />}}
 
+Notice that for security concerns only extensions that do not have path separators (either `\`, `/` or `.`) are allowed. That means that extensions can only be invoked if they are in one's ruby's `$LOAD_PATH` (ie. most likely, the extension has been installed by the user). Any extension declared relative to the website's path will not be accepted.
+
 Example of how to set extensions and attributes:
 
 ```