escape HTML entities in code parsed from markdown, fixes #2744

2020-09-09 11:42:34 +02:00 · 2020-09-09 11:42:34 +02:00 · e09437f4fa
commit e09437f4fa
parent 676936e33d
3 changed files with 21 additions and 2 deletions
--- a/plugin/markdown/markdown.esm.js
+++ b/plugin/markdown/markdown.esm.js
--- a/plugin/markdown/markdown.js
+++ b/plugin/markdown/markdown.js
--- a/plugin/markdown/plugin.js
+++ b/plugin/markdown/plugin.js
@ -15,6 +15,14 @@ const SCRIPT_END_PLACEHOLDER = '__SCRIPT_END__';

 const CODE_LINE_NUMBER_REGEX = /\[([\s\d,|-]*)\]/;

+const HTML_ESCAPE_MAP = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;'
+};
+
 const Plugin = () => {

 	// The reveal.js instance this plugin is attached to
@ -399,6 +407,12 @@ const Plugin = () => {

 	}

+	function escapeForHTML( input ) {
+
+	  return input.replace( /([&<>'"])/g, char => HTML_ESCAPE_MAP[char] );
+
+	}
+
 	return {
 		id: 'markdown',

@ -427,6 +441,11 @@ const Plugin = () => {
 					language = language.replace( CODE_LINE_NUMBER_REGEX, '' ).trim();
 				}

+				// Escape before this gets injected into the DOM to
+				// avoid having the HTML parser alter our code before
+				// highlight.js is able to read it
+				code = escapeForHTML( code );
+
 				return `<pre><code ${lineNumbers} class="${language}">${code}</code></pre>`;
 			};