Skip to content

Commit

Permalink
escape HTML <,>,& and quotes, and also in attributes values
Browse files Browse the repository at this point in the history
  • Loading branch information
@clement
clement committed Jan 12, 2011
1 parent beed889 commit 4816d73
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions lib/markdown.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1272,12 +1272,18 @@ expose.renderJsonML = function( jsonml, options ) {
return content.join( "\n\n" );
}

function escapeHTML( text ) {
return text.replace( /&/g, "&amp;" )
.replace( /</g, "&lt;" )
.replace( />/g, "&gt;" )
.replace( /"/g, "&quot;" )
.replace( /'/g, "&#39;" );
}

function render_tree( jsonml ) {
// basic case
if ( typeof jsonml === "string" ) {
return jsonml.replace( /&/g, "&amp;" )
.replace( /</g, "&lt;" )
.replace( />/g, "&gt;" );
return escapeHTML( jsonml );
}

var tag = jsonml.shift(),
Expand All @@ -1294,7 +1300,7 @@ function render_tree( jsonml ) {

var tag_attrs = "";
for ( var a in attributes ) {
tag_attrs += " " + a + '="' + attributes[ a ] + '"';
tag_attrs += " " + a + '="' + escapeHTML( attributes[ a ] ) + '"';
}

// be careful about adding whitespace here for inline elements
Expand Down

4 comments on commit 4816d73

@tj
Copy link
Contributor

@tj tj commented on 4816d73 Apr 2, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this fucks me over, it should not double-escape

function escape(html){
  return String(html)
    .replace(/&(?!\w+;)/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;');
}

@clement
Copy link
Contributor Author

@clement clement commented on 4816d73 Apr 2, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, and also numeric entities :

/&(?!(\w+|#(x[a-f\d]+|\d+)))/gi

Though double-escaping has to be done in code blocks and inline (as said in the doc). I'll look into it.

@ashb
Copy link
Collaborator

@ashb ashb commented on 4816d73 Apr 2, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

visionmedia: We currently don't support any inline HTML so 'double escaping' is a funny case.

You can see how most other implementations behave here: http://babelmark.bobtfish.net/?markdown=foo%26amp+co%0D%0A%0D%0A%3Cp%3Efoo%26amp%3Bco%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3Efoo%26co%3C%2Fp%3E&compare=on&src=1&dest=2

@tj
Copy link
Contributor

@tj tj commented on 4816d73 Apr 2, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm, i've switched to a different markdown lib that supports both inline html and doesn't have this issue

Please sign in to comment.