Ensure code block contents are always escaped

Closes #1581

CHANGELOG.md

@@ -3,6 +3,10 @@
 ## 0.14.1 (unreleased)
 
 - HTML minification now respects HTML spec (it still worked before because browsers can handle invalid HTML well and minifiers take advantage of it)
+- Show all errors on `zola serve`
+- `zola serve` now properly returns a 404
+- Fix `zola serve` having issues with config files in separate dir
+- Fix code blocks content not being escaped when not using syntax highlighting
 
 ## 0.14.0 (2021-07-19)
 

components/rendering/src/codeblock/highlight.rs

@@ -1,6 +1,7 @@
 use std::fmt::Write;
 
 use config::highlighting::{SyntaxAndTheme, CLASS_STYLE};
+use tera::escape_html;
 use syntect::easy::HighlightLines;
 use syntect::highlighting::{Color, Theme};
 use syntect::html::{
@@ -113,7 +114,7 @@ impl<'config> SyntaxHighlighter<'config> {
         match self {
             Inlined(h) => h.highlight_line(line),
             Classed(h) => h.highlight_line(line),
-            NoHighlight => line.to_owned(),
+            NoHighlight => escape_html(line),
         }
     }
 
@@ -223,4 +224,18 @@ mod tests {
         assert!(out.starts_with(r#"<span style="color"#));
         assert!(out.ends_with("</span>"));
     }
+
+    #[test]
+    fn no_highlight_escapes_html() {
+        let mut config = Config::default();
+        config.markdown.highlight_code = false;
+        let code = "<script>alert('hello')</script>";
+        let syntax_and_theme = resolve_syntax_and_theme(Some("py"), &config);
+        let mut highlighter = SyntaxHighlighter::new(false, syntax_and_theme);
+        let mut out = String::new();
+        for line in LinesWithEndings::from(&code) {
+            out.push_str(&highlighter.highlight_line(line));
+        }
+        assert!(!out.contains("<script>"));
+    }
 }