From fef9ec476cacd5f52ecc43dc0d35360da0a8b5b0 Mon Sep 17 00:00:00 2001 From: Roman Hotsiy Date: Wed, 15 Nov 2017 09:40:55 +0200 Subject: [PATCH] fix: html characters not escaped in code blocks (fixes #378) if lang is not specified --- lib/utils/md-renderer.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/utils/md-renderer.ts b/lib/utils/md-renderer.ts index 9e2c890cae..1fe16d1a50 100644 --- a/lib/utils/md-renderer.ts +++ b/lib/utils/md-renderer.ts @@ -5,6 +5,13 @@ import * as slugify from 'slugify'; import * as Remarkable from 'remarkable'; import { StringMap } from './'; +function HTMLescape(html: string): string { + return document.createElement('div') + .appendChild(document.createTextNode(html)) + .parentElement + .innerHTML; +} + declare var Prism: any; const md = new Remarkable({ html: true, @@ -15,7 +22,7 @@ const md = new Remarkable({ if (lang === 'json') lang = 'js'; let grammar = Prism.languages[lang]; // fallback to click - if (!grammar) return str; + if (!grammar) return HTMLescape(str); return Prism.highlight(str, grammar); } });