Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Blockcode (bc.) does not autoescape HTML properly #3

GwenDragon opened this Issue · 0 comments

1 participant


While using bc.. some <,> and " are not escaped properly.

See the testcode:


use strict;
use warnings;

use Text::Textile;

my $textile = Text::Textile->new;

my $code = <<'CODE';
bc.. <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="" dir="ltr" lang="de" xml:lang="de">
<script src="/test/test.js" type="text/javascript"></script>

bc. <?xml version="1.0" encoding="UTF-8"?>

bc. <script src="/test/test.js" type="text/javascript"></script>

print $textile->process($code);


Code generates this HTML

<pre><code><?xml version="1.0" encoding="UTF-8"?>
&lt;!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Transitional//EN&quot; &quot;;&gt;
&lt;html xmlns=&quot;; dir=&quot;ltr&quot; lang=&quot;de&quot; xml:lang=&quot;de&quot;&gt;
<script src="/test/test.js" type="text/javascript"></script>

<pre><code><?xml version="1.0" encoding="UTF-8"?></code></pre>

<pre><code><script src="/test/test.js" type="text/javascript"></script></code></pre>

Documentation in says:

A "bc" signature is short for "block code", which implies a preformatted section like the "pre" block,
but it also gets a <code> tag (or for XHTML 2, a <blockcode> tag is used instead).
Note that within a "bc" block, < and > are translated into HTML entities automatically.

As you can see, the <, > and " char in <script>, </script>, <? and ?> are not HTML-escaped!

Seems to be a bug.

@GwenDragon GwenDragon referenced this issue from a commit in GwenDragon/text-textile
Lilo von Hanffstengel (GwenDragon) Fix bc, missing escaping of <>" issue #3 1eea975
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.