diff options
| author | Thibaut Girka <thib@sitedethib.com> | 2019-05-17 10:43:17 +0200 |
|---|---|---|
| committer | ThibG <thib@sitedethib.com> | 2019-05-17 23:51:14 +0200 |
| commit | dd5bf40b97d42daae855cd05ac13c6efa6cda4f6 (patch) | |
| tree | 5da9297e1e6f72a065dc1c2ec974036584635951 | |
| parent | a6b7c23f6fd33c209f83562fffb46211e062312e (diff) | |
Properly escape HTML in code blocks
| -rw-r--r-- | app/lib/formatter.rb | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index 2c509ef19..ccebf4353 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -5,13 +5,23 @@ require_relative './sanitize_config' class HTMLRenderer < Redcarpet::Render::HTML def block_code(code, language) - "<pre><code>#{code.gsub("\n", "<br/>")}</code></pre>" + "<pre><code>#{encode(code).gsub("\n", "<br/>")}</code></pre>" end def autolink(link, link_type) return link if link_type == :email Formatter.instance.link_url(link) end + + private + + def html_entities + @html_entities ||= HTMLEntities.new + end + + def encode(html) + html_entities.encode(html) + end end class Formatter |