Properly escape HTML in code blocks

5 years ago · dd5bf40b97
parent a6b7c23f6f
commit dd5bf40b97
1 changed files with 11 additions and 1 deletions
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@ -5,13 +5,23 @@ require_relative './sanitize_config'

 class HTMLRenderer < Redcarpet::Render::HTML
  def block_code(code, language)
-    "<pre><code>#{code.gsub("\n", "<br/>")}</code></pre>"
+    "<pre><code>#{encode(code).gsub("\n", "<br/>")}</code></pre>"
  end

  def autolink(link, link_type)
    return link if link_type == :email
    Formatter.instance.link_url(link)
  end
+
+  private
+
+  def html_entities
+    @html_entities ||= HTMLEntities.new
+  end
+
+  def encode(html)
+    html_entities.encode(html)
+  end
 end

 class Formatter