Ensure code block contents are always escaped

Closes #1581
This commit is contained in:
Vincent Prouillet 2021-08-18 09:04:58 +02:00
parent 6a39253e29
commit 8b43667a94
2 changed files with 20 additions and 1 deletions

View file

@ -3,6 +3,10 @@
## 0.14.1 (unreleased)
- HTML minification now respects HTML spec (it still worked before because browsers can handle invalid HTML well and minifiers take advantage of it)
- Show all errors on `zola serve`
- `zola serve` now properly returns a 404
- Fix `zola serve` having issues with config files in separate dir
- Fix code blocks content not being escaped when not using syntax highlighting
## 0.14.0 (2021-07-19)

View file

@ -1,6 +1,7 @@
use std::fmt::Write;
use config::highlighting::{SyntaxAndTheme, CLASS_STYLE};
use tera::escape_html;
use syntect::easy::HighlightLines;
use syntect::highlighting::{Color, Theme};
use syntect::html::{
@ -113,7 +114,7 @@ impl<'config> SyntaxHighlighter<'config> {
match self {
Inlined(h) => h.highlight_line(line),
Classed(h) => h.highlight_line(line),
NoHighlight => line.to_owned(),
NoHighlight => escape_html(line),
}
}
@ -223,4 +224,18 @@ mod tests {
assert!(out.starts_with(r#"<span style="color"#));
assert!(out.ends_with("</span>"));
}
#[test]
fn no_highlight_escapes_html() {
let mut config = Config::default();
config.markdown.highlight_code = false;
let code = "<script>alert('hello')</script>";
let syntax_and_theme = resolve_syntax_and_theme(Some("py"), &config);
let mut highlighter = SyntaxHighlighter::new(false, syntax_and_theme);
let mut out = String::new();
for line in LinesWithEndings::from(&code) {
out.push_str(&highlighter.highlight_line(line));
}
assert!(!out.contains("<script>"));
}
}