v0.8.2

Heading HTML Injection (Security Fix)

Markdown headings containing HTML special characters (e.g., <, >, &) were rendered without escaping, allowing raw HTML injection into the page. A heading like ## Use <script> tags would inject a literal <script> element into the output.

Heading text is now HTML-escaped before being written into <h> tags, matching the behavior of all other inline content.

Multilingual site.language Incorrect for Non-Default Languages

SiteContext::for_lang() always set site.language to the default language from seite.toml instead of the language actually being rendered. This meant <html lang="..."> and any template logic using {{ site.language }} would show the wrong language code on translated pages.

site.language now correctly reflects the page's language for every render pass.

Plausible Deprecation Warning Printed Once Per HTML File

The Plausible extensions deprecation notice was emitted inside the per-file analytics injection loop, which runs in parallel via Rayon. On a site with 200 pages, the warning printed 200 times. The warning is now emitted once before the post-processing loop.

Image src Attribute Extraction Matched Partial Names

The extract_attr helper used during image post-processing matched attribute names by substring. Searching for src would match data-src if it appeared earlier in the tag, causing the wrong URL to be used for srcset generation and <picture> element construction.

Attribute matching now requires a whitespace boundary before the attribute name, so data-src no longer shadows src.