Properly escape HTML in code blocks

author Thibaut Girka <thib@sitedethib.com>

Fri, 17 May 2019 08:43:17 +0000 (10:43 +0200)

committer ThibG <thib@sitedethib.com>

Fri, 17 May 2019 21:51:14 +0000 (23:51 +0200)
author Thibaut Girka <thib@sitedethib.com>
Fri, 17 May 2019 08:43:17 +0000 (10:43 +0200)
committer ThibG <thib@sitedethib.com>
Fri, 17 May 2019 21:51:14 +0000 (23:51 +0200)
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb

index 2c509ef19fce027f9033325db002a2cd333fa232..ccebf4353f54db950b2a7d9c69e684e8a91329c2 100644 (file)
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -5,13 +5,23 @@ require_relative './sanitize_config'
  
  class HTMLRenderer < Redcarpet::Render::HTML
    def block_code(code, language)
-    "<pre><code>#{code.gsub("\n", "<br/>")}</code></pre>"
+    "<pre><code>#{encode(code).gsub("\n", "<br/>")}</code></pre>"
    end
  
    def autolink(link, link_type)
      return link if link_type == :email
      Formatter.instance.link_url(link)
    end
+
+  private
+
+  def html_entities
+    @html_entities ||= HTMLEntities.new
+  end
+
+  def encode(html)
+    html_entities.encode(html)
+  end
  end
  
  class Formatter
author	Thibaut Girka <thib@sitedethib.com>
	Fri, 17 May 2019 08:43:17 +0000 (10:43 +0200)
committer	ThibG <thib@sitedethib.com>
	Fri, 17 May 2019 21:51:14 +0000 (23:51 +0200)