Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command Line: Escape markup in command line output #3341

Merged
merged 1 commit into from Feb 16, 2022

Conversation

at055612
Copy link
Contributor

@at055612 at055612 commented Feb 16, 2022

Fixes #3340

@github-actions
Copy link

@github-actions github-actions bot commented Feb 16, 2022

JS File Size Changes (gzipped)

A total of 1 files have changed, with a combined diff of +11 B (+1.0%).

file master pull size diff % diff
plugins/command-line/prism-command-line.min.js 1.13 KB 1.14 KB +11 B +1.0%

Generated by 🚫 dangerJS against f99b8e2

@RunDevelopment
Copy link
Member

@RunDevelopment RunDevelopment commented Feb 16, 2022

You just found and fixed a security vulnerability that has been in Prism for years. Thank you!

The bug has been introduced in #856, almost 4 years ago, and was first released v1.14.0.

I'll release a new version of make an advisory after merging this PR.

@RunDevelopment RunDevelopment merged commit e002e78 into PrismJS:master Feb 16, 2022
12 checks passed
@at055612
Copy link
Contributor Author

@at055612 at055612 commented Feb 16, 2022

Happy to help.

How do the release tags relate to the js/css downloads on the prism site? The last release was January I think but if I download the css/js from the site now it includes my recent PRs which went in since the Jan release. Is the site based on master?

I think it may be better if the site was built from a tagged release then the version number in the downloaded css/js would always correspond to a fixed point in the code.

@at055612 at055612 deleted the gh-3340-escape-cmd-output branch Feb 16, 2022
@RunDevelopment
Copy link
Member

@RunDevelopment RunDevelopment commented Feb 16, 2022

How do the release tags relate to the js/css downloads on the prism site?

Not at all. As you guess, they get everything straight from master.

I think it may be better if the site was built from a tagged release then the version number in the downloaded css/js would always correspond to a fixed point in the code.

I agree, but that's not easy to implement on top of GitHub pages. However, we actually need this for another feature, so it is planned that you will eventually be able to select a specific version on the download page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants