fix(helper): escape HTML by default in list_tag helper (#4743)

BREAKING CHANGES: escape the html tag values. It should be text, not HTML. This is a breaking change and documentation should be updated to explain that when using function transform, the value should be escaped if needed.
hexojs · Jul 25, 2021 · 042f862 · 042f862
1 parent 9e3360a
commit 042f862
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/lib/plugins/helper/list_tags.js b/lib/plugins/helper/list_tags.js
@@ -1,6 +1,6 @@
 'use strict';
 
-const { url_for } = require('hexo-util');
+const { url_for, escapeHTML } = require('hexo-util');
 
 function listTagsHelper(tags, options) {
   if (!options && (!tags || !Object.prototype.hasOwnProperty.call(tags, 'length'))) {
@@ -59,7 +59,7 @@ function listTagsHelper(tags, options) {
       result += `<li class="${liClass}">`;
 
       result += `<a class="${aClass}" href="${url_for.call(this, tag.path)}${suffix}" rel="tag">`;
-      result += transform ? transform(tag.name) : tag.name;
+      result += transform ? transform(tag.name) : escapeHTML(tag.name);
       result += '</a>';
 
       if (showCount) {

diff --git a/test/scripts/helpers/list_tags.js b/test/scripts/helpers/list_tags.js
@@ -205,3 +205,41 @@ describe('list_tags', () => {
     ].join(''));
   });
 });
+
+describe('list_tags transform', () => {
+  const Hexo = require('../../../lib/hexo');
+  const hexo = new Hexo(__dirname);
+  const Post = hexo.model('Post');
+
+  const ctx = {
+    config: hexo.config
+  };
+
+  const listTags = require('../../../lib/plugins/helper/list_tags').bind(ctx);
+
+  before(async () => {
+    await hexo.init();
+    const posts = await Post.insert([
+      {source: 'foo', slug: 'foo'}
+    ]);
+
+    // TODO: Warehouse needs to add a mutex lock when writing data to avoid data sync problem
+    await Promise.all([
+      ['bad<b>HTML</b>']
+    ].map((tags, i) => posts[i].setTags(tags)));
+
+    hexo.locals.invalidate();
+    ctx.site = hexo.locals.toObject();
+  });
+
+  // no transform should escape HTML
+  it('no transform', () => {
+    const result = listTags();
+
+    result.should.eql([
+      '<ul class="tag-list" itemprop="keywords">',
+      '<li class="tag-list-item"><a class="tag-list-link" href="/tags/bad-b-HTML-b/" rel="tag">bad&lt;b&gt;HTML&lt;&#x2F;b&gt;</a><span class="tag-list-count">1</span></li>',
+      '</ul>'
+    ].join(''));
+  });
+});