escape HTML entities in code parsed from markdown, fixes #2744

This commit is contained in:
Hakim El Hattab 2020-09-09 11:42:34 +02:00
parent 676936e33d
commit e09437f4fa
3 changed files with 21 additions and 2 deletions

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -15,6 +15,14 @@ const SCRIPT_END_PLACEHOLDER = '__SCRIPT_END__';
const CODE_LINE_NUMBER_REGEX = /\[([\s\d,|-]*)\]/; const CODE_LINE_NUMBER_REGEX = /\[([\s\d,|-]*)\]/;
const HTML_ESCAPE_MAP = {
'&': '&',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#39;'
};
const Plugin = () => { const Plugin = () => {
// The reveal.js instance this plugin is attached to // The reveal.js instance this plugin is attached to
@ -399,6 +407,12 @@ const Plugin = () => {
} }
function escapeForHTML( input ) {
return input.replace( /([&<>'"])/g, char => HTML_ESCAPE_MAP[char] );
}
return { return {
id: 'markdown', id: 'markdown',
@ -427,6 +441,11 @@ const Plugin = () => {
language = language.replace( CODE_LINE_NUMBER_REGEX, '' ).trim(); language = language.replace( CODE_LINE_NUMBER_REGEX, '' ).trim();
} }
// Escape before this gets injected into the DOM to
// avoid having the HTML parser alter our code before
// highlight.js is able to read it
code = escapeForHTML( code );
return `<pre><code ${lineNumbers} class="${language}">${code}</code></pre>`; return `<pre><code ${lineNumbers} class="${language}">${code}</code></pre>`;
}; };