From 3c568ad0139c79e5c0596ca40637512d71401afc Mon Sep 17 00:00:00 2001
From: satotake <doublequotation@gmail.com>
Date: Mon, 17 Feb 2020 22:59:26 +0900
Subject: [PATCH] markup/highlight: Fix chroma highlight

* Use chroma.Coalesce
* Escape code strings if lexer is nil

Fixes #6877
Fixes #6856
---
 markup/highlight/highlight.go      |  4 +++-
 markup/highlight/highlight_test.go | 29 ++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/markup/highlight/highlight.go b/markup/highlight/highlight.go
index 9e26aaf844e..2bd77af0b2a 100644
--- a/markup/highlight/highlight.go
+++ b/markup/highlight/highlight.go
@@ -15,6 +15,7 @@ package highlight
 
 import (
 	"fmt"
+	gohtml "html"
 	"io"
 	"strings"
 
@@ -63,7 +64,7 @@ func highlight(code, lang string, cfg Config) (string, error) {
 	if lexer == nil {
 		wrapper := getPreWrapper(lang)
 		fmt.Fprint(w, wrapper.Start(true, ""))
-		fmt.Fprint(w, code)
+		fmt.Fprint(w, gohtml.EscapeString(code))
 		fmt.Fprint(w, wrapper.End(true))
 		return w.String(), nil
 	}
@@ -72,6 +73,7 @@ func highlight(code, lang string, cfg Config) (string, error) {
 	if style == nil {
 		style = styles.Fallback
 	}
+	lexer = chroma.Coalesce(lexer)
 
 	iterator, err := lexer.Tokenise(nil, code)
 	if err != nil {
diff --git a/markup/highlight/highlight_test.go b/markup/highlight/highlight_test.go
index 6da2924896d..3086792639d 100644
--- a/markup/highlight/highlight_test.go
+++ b/markup/highlight/highlight_test.go
@@ -29,6 +29,13 @@ LINE3
 LINE4
 LINE5
 `
+	coalesceNeeded := `GET /foo HTTP/1.1
+Content-Type: application/json
+User-Agent: foo
+
+{
+  "hello": "world"
+}`
 
 	c.Run("Basic", func(c *qt.C) {
 		cfg := DefaultConfig
@@ -38,7 +45,7 @@ LINE5
 		result, _ := h.Highlight(`echo "Hugo Rocks!"`, "bash", "")
 		c.Assert(result, qt.Equals, `<div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="nb">echo</span> <span class="s2">&#34;Hugo Rocks!&#34;</span></code></pre></div>`)
 		result, _ = h.Highlight(`echo "Hugo Rocks!"`, "unknown", "")
-		c.Assert(result, qt.Equals, `<pre><code class="language-unknown" data-lang="unknown">echo "Hugo Rocks!"</code></pre>`)
+		c.Assert(result, qt.Equals, `<pre><code class="language-unknown" data-lang="unknown">echo &#34;Hugo Rocks!&#34;</code></pre>`)
 
 	})
 
@@ -106,4 +113,24 @@ LINE5
 		result, _ := h.Highlight(lines, "", "")
 		c.Assert(result, qt.Contains, "<span class=\"ln\">2</span>LINE2\n<")
 	})
+
+	c.Run("No language, Escape HTML string", func(c *qt.C) {
+		cfg := DefaultConfig
+		cfg.NoClasses = false
+		h := New(cfg)
+
+		result, _ := h.Highlight("Escaping less-than in code block? <fail>", "", "")
+		c.Assert(result, qt.Contains, "&lt;fail&gt;")
+	})
+
+	c.Run("Highlight lines, default config", func(c *qt.C) {
+		cfg := DefaultConfig
+		cfg.NoClasses = false
+		h := New(cfg)
+
+		result, _ := h.Highlight(coalesceNeeded, "http", "linenos=true,hl_lines=2")
+		c.Assert(result, qt.Contains, "hello")
+		c.Assert(result, qt.Contains, "}")
+	})
+
 }