More commits (will be squashed)

Author: Wryhder

README.md

@@ -122,13 +122,15 @@ icon:
 > [!NOTE]
 > You can highlight important information in your articles or docs using different types of callouts (also known as admonitions – or alerts, as used in [the Hugo docs](https://gohugo.io/render-hooks/blockquotes/#alerts)).
 
-For compatibility with HTML and Markdown in both content and layout files, we use a mix of shortcodes and partials to display blockquote alerts. Shortcodes on their own don't work in layout files, so you'll want to call a partial in layout files but use a shortcode (that calls the partial) in Markdown and HTML content files.
+For compatibility with both content and layout files, we use a mix of shortcodes and partials to display blockquote alerts. Partials work in layout, but not content files. Shortcodes work in content, but not layout files. So you'll want to call the partial in layout files but use the shortcode (it calls the partial) in content files.
 
 The partial is at `site/layouts/partials/blockquote-alert.html`, and the shortcode is at `site/layouts/shortcodes/blockquote-alert.html`.
 
-There are five alert types. You can use these directly in Markdown and HTML cotent files. Omit the `title` parameter to keep the alert type as the default title (for example, a note alert will have "Note" as its title):
+There are five alert types as shown in the examples below. Omit the `title` parameter to keep the alert type as the default title (for example, a note alert will have "Note" as its title). The descriptions for the alert types are borrowed from the Hugo docs:
 
 ```
+# Shortcodes in content files
+
 {{< blockquote-alert type="note" title="Optional custom title">}}
 Useful information that users should know, even when skimming content.
 {{< /blockquote-alert >}}
@@ -147,76 +149,135 @@ Key information users need to know to achieve their goal.
 
 ----------------
 
-{{< blockquote-alert type="warning" title="This is the title">}}
+{{< blockquote-alert type="warning" title="Optional custom title">}}
 Urgent info that needs immediate user attention to avoid problems.
 {{< /blockquote-alert >}}
 
 ----------------
 
-{{< blockquote-alert type="caution" title="This is the title">}}
+{{< blockquote-alert type="caution" title="Optional custom title">}}
 Advises about risks or negative outcomes.
 {{< /blockquote-alert >}}
 ```
 
-You can include both simple string content, as shown above, and complex nested content with multiple paragraphs and HTML elements:
+For layout files, you can call the partial as shown in the examples below. Just like in the shortcode examples, any string passed into the `content` parameter is interpreted as markdown. Use `html` instead `to pass in HTML. Again, the title parameter is optional and will default to the alert type:
+
+```
+# Partials in layout files
+
+{{/* These are interpreted as Markdown */}}
+{{ partial "blockquote-alert.html" (dict
+    "type" "note"
+    "title" "Optional custom title"
+    "content" "Useful information that users should know, even when skimming content."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "tip"
+    "title" "Optional custom title"
+    "content" "Helpful advice for doing things better or more easily."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "important"
+    "title" "Optional custom title"
+    "content" "Key information users need to know to achieve their goal."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "warning"
+    "title" "Optional custom title"
+    "content" "Urgent info that needs immediate user attention to avoid problems."
+) }}
+
+{{ partial "blockquote-alert.html" (dict
+    "type" "caution"
+    "title" "Optional custom title"
+    "content" "Advises about risks or negative outcomes."
+) }}
+
+These are also valid:
+
+{{ $alertContent := `This is a tip with **bold text** and _italic_ text.
+
+This is a second paragraph in the same alert.
+            
+- List item 1
+- List item 2
+`}}
+
+{{ partial "blockquote-alert.html" (dict
+  "type" "tip"
+  "title" "Optional custom title"
+  "content" $alertContent
+) }}
+
+
+{{ $alertContent := add
+  "This is a tip with **bold text** and _italic_ text.\n\n"
+  "This is a second paragraph in the same alert.\n"
+  "- List item 1\n"
+  "- List item 2\n\n"
+  "`Here's some text in backticks.`"
+}}
+
+{{ partial "blockquote-alert.html" (dict
+  "type" "tip"
+  "title" "Optional custom title"
+  "content" $alertContent
+) }}
+```
 
-Shortcode:
+You can include simple string content, as shown above, or complex nested content with multiple paragraphs and HTML elements:
 
 ```
-{{< blockquote-alert type="tip" title="Custom Title" >}}
+# Shortcode in content files
+
+{{< blockquote-alert type="tip" title="Optional custom Title" >}}
 This is a tip with **bold text** and _italic_ text.
 
 This is a second paragraph in the same alert.
 
 - List item 1
 - List item 2
 {{< /blockquote-alert >}}
-```
 
-For layout files, you can call the partial like so::
+# Partial in layout files
 
-```
 {{ partial "blockquote-alert.html" (dict
     "type" "tip"
-    "title" "Pro Tip"
-    "content" "<p>Use partials to avoid repeating logic.</p>"
+    "title" "Optional custom title"
+    "content" "<p>Helpful advice for doing things better or more easily.</p>"
 ) }}
-```
-
 
-**In Layout Files (calling partial directly)**
-
-```go-html-template
-<!-- Simple text -->
-{{ partial "blockquote-alert" (dict "type" "important" "content" "This is an important message.") }}
-
-<!-- HTML content -->
 {{ partial "blockquote-alert" (dict 
     "type" "caution" 
     "title" "Be Careful!" 
     "content" "<p>This is a <strong>caution</strong> message.</p><p>It has multiple paragraphs.</p>"
 ) }}
+```
 
-<!-- Dynamic content -->
-{{ $alertContent := printf "<p>Page last updated: %s</p><p>Author: %s</p>" (.Lastmod.Format "January 2, 2006") .Params.author }}
-{{ partial "blockquote-alert" (dict "type" "note" "title" "Page Info" "content" $alertContent) }}
 ```
+{{ $alertContent := `This is a tip with **bold text** and _italic_ text.
+
+This is a second paragraph in the same alert.
+            
+- List item 1
+- List item 2
+`}}
 
-**In Other Partials:**
 
-```go-html-template
-{{ define "partials/footer-notice.html" }}
-  {{ partial "blockquote-alert" (dict 
-      "type" "important" 
-      "title" "Subscribe" 
-      "content" "<p>Want to stay updated? <a href='/subscribe'>Join our newsletter</a>.</p>"
-  ) }}
-{{ end }}
-```
+{{ $alertContent := add
+  "This is a tip with **bold text** and _italic_ text.\n\n"
+  "This is a second paragraph in the same alert.\n"
+  "- List item 1\n"
+  "- List item 2\n\n"
+  "`Here's some text in backticks.`"
+}}
 
 **NOTE:**
 
-You'll want to handle line breaks properly within the HTML content string when working with complex content. For example, the following will throw a parse error (`html: overlay: parse failed unterminated quoted string in action`):
+You'll want to handle line breaks properly within the content string in partials when working with complex content. For example, the following will throw a parse error (`html: overlay: parse failed unterminated quoted string in action`):
 
 ```
 {{ partial "blockquote-alert" (dict
@@ -227,19 +288,21 @@ You'll want to handle line breaks properly within the HTML content string when w
 ) }}
 ```
 
-To fix this, you can:
+To fix this, use either of these options:
 
 - Keep everything on a single line
 - Use string concatenation (whether in a variable or directly)
 
 ```
+<!-- Option #1: Keep everything on a single line -->
 {{ partial "blockquote-alert" (dict
     "type" "caution"
     "title" "Be Careful!"
     "content" "<p>This is a <strong>caution</strong> message.</p><p>It has multiple paragraphs.</p>"
 ) }}
 
 ---------------
+<!-- Option #2: Use string concatenation (whether in a variable or directly) -->
 
 {{ $alertContent := add
   "<p>This is a <strong>caution</strong> message.</p>"
@@ -251,7 +314,62 @@ To fix this, you can:
   "title" "Be Careful!"
   "content" $alertContent
 ) }}
-```
+
+This is a tip with **bold text** and _italic_ text.
+
+This is a second paragraph in the same alert.
+
+- List item 1
+- List item 2
+```\
+
+
+-------------------------------------------------------
+You can pass Markdown through the shortcode or the partial. In fact, if you use the `content` parameter, it's assumed
+you've passed either plain text or markdown and your content is treated as such (passed through markdownify).
+To pass and have your content be treated as HTML, use the `html` parameter instead.
+
+(Looking for a cleaner, more readable way to format the content so it doesn't include so many tags)
+
+{{ $alertContent := add
+  "On **Windows**, you will see a message like:\n\n"
+  "`ZAP_<version>_windows.exe isn't commonly downloaded.`\n\n"
+  "To circumvent this warning, click **...** → **Keep** → **Show more** → **Keep anyway**.\n\n"
+  "On **macOS**, you will see a message like:\n\n"
+  "`\"ZAP.app\" cannot be opened because the developer cannot be verified.`\n\n"
+  "To circumvent this warning, go to **System Preferences** > **Security & Privacy**. "
+  "You will see a message saying that \"ZAP\" was blocked. Click **Open anyway** if you trust the installer.\n"
+}}
+
+{{ $alertContent := `
+On **Windows**, you will see a message like:
+
+`ZAP_<version>_windows.exe isn't commonly downloaded. Make sure you trust ZAP_<version>_windows.exe before you open it.`
+
+To circumvent this warning, you would need to click on **...** and then **Keep**,  
+then **Show more** and then **Keep anyway**.
+
+On **macOS**, you will see a message like:
+
+`"ZAP.app" cannot be opened because the developer cannot be verified.`
+
+To circumvent this warning, go to **System Preferences** > **Security & Privacy** at the bottom of the dialog.  
+You will see a message saying that "ZAP" was blocked. If you trust the installer, click **Open anyway**.
+` }}
+
+{{ $alertContent := add
+  "<p><strong>The ZAP releases are currently unsigned</strong></p>"
+  "<p>On <strong>Windows</strong>, you will see a message like: "
+  "<code>ZAP_&lt;version&gt;_windows.exe isn't commonly downloaded. Make sure you trust ZAP_&lt;version&gt;_windows.exe before you open it.</code><br>"
+  "To circumvent this warning, you would need to click on <strong>...</strong> and then <strong>Keep</strong>, then "
+  "<strong>Show more</strong> and then <strong>Keep anyway</strong>.</p>"
+  "<p>On <strong>macOS</strong>, you will see a message like: "
+  "<code>&quot;ZAP.app&quot; cannot be opened because the developer cannot be verified.</code><br>"
+  "To circumvent this warning, you would need to go to <strong>System Preferences</strong> &gt; <strong>Security & Privacy</strong> at "
+  "the bottom of the dialog. You will see a message saying that &quot;ZAP&quot; was blocked. Next to it, if you trust the "
+  "downloaded installer, you can click <strong>Open anyway</strong>.</p>"
+}}
+-------------------------------------------------------
 
 #### Layouts
 For controlling what HTML is rendered, you need to work with the site templates. In the directory, `site/layouts/`, you'll find a number of HTML files with various template tags. The first file to check out is `site/layouts/_default/baseof.html` - this is the base layout Hugo uses to build your site that templates extend. Hugo has a lookup order for associating a content entry to a template. A single entry whose type is post (`type: post`), Hugo will look for a layout in `site/layouts/post/single.html`, and if that does not exist, it will fallback to `site/layouts/_default/single.html`. 

site/content/blog/2025-04-02-zap-updates-march-2025/index.md

@@ -15,8 +15,9 @@ authors:
 
 ## Highlights
 
-> [!IMPORTANT]
-> The big news last month was the release of [2.16.1](/blog/2025-03-25-zap-2-16-1/)!
+{{< blockquote-alert type="important">}}
+The big news last month was the release of [2.16.1](/blog/2025-03-25-zap-2-16-1/)!
+{{< /blockquote-alert >}}
 
 As part of this release the [Script Console](/docs/desktop/addons/script-console/) now uses the main 
 [Output](/docs/desktop/ui/tabs/output/) tab instead of its own "Script Output" panel.
@@ -45,8 +46,9 @@ The following significant changes have been made to this website:
 * A new [Script Security](/docs/getting-further/script-security/) advanced guide
 * Even more [Authentication Tests](/docs/scans/auth/)
 
-> [!NOTE]
-> We now have the option to highlight important information, as demonstrated here!
+{{< blockquote-alert type="note">}}
+We now have the option to highlight important information, as demonstrated here!
+{{< /blockquote-alert >}}
 
 ## GitHub Pulse
 Here are some statistics for the two main ZAP repositories:

site/content/blog/2025-04-09-portswigger-labs-broken-brute-force-protection-ip-block/index.md

@@ -61,12 +61,13 @@ Copy-paste the lab URL into the *URL to explore* field and launch your browser w
 
 ![launch-test-site-ZAP-configured-browser.png](images/launch-test-site-ZAP-configured-browser.png)
 
-> [!NOTE]
-> If you have any issues launching your browser from ZAP, see the following pages for help. ZAP uses add-ons to enhance its core features, including ones which provide webdrivers for interfacing with supported browsers. These are installed by default and expose some configurable options:
->
-> 1. [How can I fix 'browser was not found'?](/faq/how-can-i-fix-browser-was-not-found/) - ZAP Docs (FAQ)
-> 2. [Manual Explore](/docs/desktop/addons/quick-start/#manual-explore) - ZAP Docs
-> 3. [Selenium](/docs/desktop/addons/selenium/) - ZAP Docs
+{{< blockquote-alert type="note">}}
+If you have any issues launching your browser from ZAP, see the following pages for help. ZAP uses add-ons to enhance its core features, including ones which provide webdrivers for interfacing with supported browsers. These are installed by default and expose some configurable options:
+
+1. [How can I fix 'browser was not found'?](/faq/how-can-i-fix-browser-was-not-found/) - ZAP Docs (FAQ)
+2. [Manual Explore](/docs/desktop/addons/quick-start/#manual-explore) - ZAP Docs
+3. [Selenium](/docs/desktop/addons/selenium/) - ZAP Docs
+{{< /blockquote-alert >}}
 
 Assuming you’ve opened the lab in a browser configured to proxy through ZAP, let’s try to log in with a random password. We want to capture a POST request we can work with in ZAP. I’ll try “randompass”. We’re notified that this is an “Incorrect password”, which is expected:
 
@@ -96,8 +97,9 @@ After one minute, we can indeed make more login attempts. The idea is that if we
 
 If we enter our own credentials, `wiener:peter`, on every third login attempt, the IP block never activates. Each successful login resets the counter tracking the number of failed login attempts. We can keep going until we’ve tried enough passwords from our wordlist to find the right one for Carlos' account.
 
-> [!NOTE]
-> This bypass — taking advantage of a logic flaw to reset the failure counter — enables us to brute-force Carlos’ password and successfully solve this lab. Although not the point of the lab, we can also wait out the IP block since we’re dealing with only a few credentials. This is covered in “Method 2: Wait Out the IP Block”.
+{{< blockquote-alert type="note">}}
+This bypass — taking advantage of a logic flaw to reset the failure counter — enables us to brute-force Carlos’ password and successfully solve this lab. Although not the point of the lab, we can also wait out the IP block since we’re dealing with only a few credentials. This is covered in “Method 2: Wait Out the IP Block”.
+{{< /blockquote-alert >}}
 
 What about changing our IP address? I used the [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For) header successfully in another lab. But the server here appears to block IPs based on the client's actual IP address (determined by the network layer rather than HTTP headers from the application layer), which makes sense in the context of rate-limiting. Rotating IP addresses via a proxy or VPN could work, but we won’t explore that here.
 
@@ -564,8 +566,9 @@ All functions, except the `log` function, are part of a required interface that
 
 ![implementation-error.png](images/implementation-error.png)
 
-> [!NOTE]
-> Refer to the default templates for the interfaces required for each script type. You can find these in the Templates section of the Scripts tab. They include documentation comments describing each function and its parameters. You can also create new scripts from the templates. 
+{{< blockquote-alert type="note">}}
+Refer to the default templates for the interfaces required for each script type. You can find these in the Templates section of the Scripts tab. They include documentation comments describing each function and its parameters. You can also create new scripts from the templates.
+{{< /blockquote-alert >}}
 
 You can save the file now. Also, check that the script is enabled, as disabled scripts won’t be available for selection when needed. If you missed the *Enable* checkbox earlier, you can right-click the filename in the *Scripts* tab and select *Enable Script(s)*.
 
@@ -583,10 +586,11 @@ After you open the *Add Payload* dialog, you can add the Payload Generator scrip
 
 Save the payload and return to the main Fuzzer dialog. Then, run the Fuzzer with *Start Fuzzer*.
 
-> [!IMPORTANT]
-> You might notice that even though the payloads are generated correctly (as the logs in the script output panel show), the requests are sent in the wrong order. This causes an unexpected IP block early on. As a result, most of the requests are rejected with the message: `You have made too many incorrect login attempts. Please try again in 1 minute(s).`
->
-> This is due to the Fuzzer’s concurrency settings. You can enable sequential execution by setting the number of execution threads to 1. However, this slows down the Fuzzer a great deal. An alternative is to throttle requests with a small delay of 100–200 milliseconds. See [Options Fuzzer screen](/docs/desktop/addons/fuzzer/options/) for more detail.
+{{< blockquote-alert type="important">}}
+You might notice that even though the payloads are generated correctly (as the logs in the script output panel show), the requests are sent in the wrong order. This causes an unexpected IP block early on. As a result, most of the requests are rejected with the message: `You have made too many incorrect login attempts. Please try again in 1 minute(s).`
+
+This is due to the Fuzzer’s concurrency settings. You can enable sequential execution by setting the number of execution threads to 1. However, this slows down the Fuzzer a great deal. An alternative is to throttle requests with a small delay of 100–200 milliseconds. See [Options Fuzzer screen](/docs/desktop/addons/fuzzer/options/) for more detail.
+{{< /blockquote-alert >}}
 
 You can skip over the next section and head to [Have Username, Got Password](#have-username-got-password).
 
@@ -715,8 +719,9 @@ You can optionally move the script to the top of the processor list. Then, run t
 
 Once the Fuzzer is done, we can inspect the results. We’re looking for indications of a successful login. So, we’ll sort the results in descending order using the status code column (simply “*Code”* in the UI).
 
-> [!NOTE]
-> Both of these solutions are valid. As you might have noticed if you’ve solved a lab more than once, different lab instances can have different password solutions. So, you could see different passwords than shown below.
+{{< blockquote-alert type="note">}}
+Both of these solutions are valid. As you might have noticed if you’ve solved a lab more than once, different lab instances can have different password solutions. So, you could see different passwords than shown below.
+{{< /blockquote-alert >}}
 
 ### Method 1: Interleave Wordlists With Valid Credentials
 

site/content/docs/getting-further/script-security.md

@@ -22,8 +22,9 @@ For more details on ZAP’s security posture see the
 ### Script Capabilities
 As noted on the [Script Console](/docs/desktop/addons/script-console/) page:
 
-> [!WARNING]
-> Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
+{{< blockquote-alert type="warning">}}
+Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
+{{< /blockquote-alert >}}
 
 All scripts can call other scripts and any command line tools that are accessible to them based on OS permissions.
 Scripts can access any online services unless restricted by firewalls or similar.