Blockcode (bc.) does not autoescape HTML properly #3

ghost opened this Issue Nov 29, 2010 · 0 comments


None yet
0 participants

ghost commented Nov 29, 2010

While using bc.. some <,> and " are not escaped properly.

See the testcode:


use strict;
use warnings;

use Text::Textile;

my $textile = Text::Textile->new;

my $code = <<'CODE';
bc.. <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="" dir="ltr" lang="de" xml:lang="de">
<script src="/test/test.js" type="text/javascript"></script>

bc. <?xml version="1.0" encoding="UTF-8"?>

bc. <script src="/test/test.js" type="text/javascript"></script>

print $textile->process($code);


Code generates this HTML

<pre><code><?xml version="1.0" encoding="UTF-8"?>
&lt;!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Transitional//EN&quot; &quot;;&gt;
&lt;html xmlns=&quot;; dir=&quot;ltr&quot; lang=&quot;de&quot; xml:lang=&quot;de&quot;&gt;
<script src="/test/test.js" type="text/javascript"></script>

<pre><code><?xml version="1.0" encoding="UTF-8"?></code></pre>

<pre><code><script src="/test/test.js" type="text/javascript"></script></code></pre>

Documentation in says:

A "bc" signature is short for "block code", which implies a preformatted section like the "pre" block,
but it also gets a <code> tag (or for XHTML 2, a <blockcode> tag is used instead).
Note that within a "bc" block, < and > are translated into HTML entities automatically.

As you can see, the <, > and " char in <script>, </script>, <? and ?> are not HTML-escaped!

Seems to be a bug.

@ghost ghost referenced this issue Jul 10, 2014


Fix for wrong escaping in bc #12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment