<foo> is parsed as HTML element even if < is escaped with \

[rhysd]

Marked version: 0.3.17

Markdown flavor: CommonMark or GitHub Flavored Markdown

Expectation

Parsed as text and it should not be sanitized

Result

Parsed as HTML tag and it is passed to a sanitizer

What was attempted

Install marked with npm install marked.

Then put following code as foo.js

const marked = require('marked');

const doc = '\\<div>';

console.log(
    marked(doc, {
        sanitize: true,
        sanitizer: tag => {
            console.log('tag:', tag);
            return tag;
        },
    }),
);

Finally run it with node foo.js.

It outputs:

tag: <div>
<p>\<div></p>

The <div> just after \ is parsed as <div> HTML element even if < is escaped with \. However, as long as I confirmed with http://spec.commonmark.org/dingus/, \<div> should be parsed as text '<div>'. So it should not be passed to sanitizer and should be escaped as \<div> by marked.

I have trouble with this problem because sanitizer cannot know whether the input is just a text input (where < is escaped with \) or actual HTML tag.