From 8b43667a94f4fd6cf1489f22811abe87136321e5 Mon Sep 17 00:00:00 2001 From: Vincent Prouillet Date: Wed, 18 Aug 2021 09:04:58 +0200 Subject: [PATCH] Ensure code block contents are always escaped Closes #1581 --- CHANGELOG.md | 4 ++++ components/rendering/src/codeblock/highlight.rs | 17 ++++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1b3f4dc..d8784113 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ ## 0.14.1 (unreleased) - HTML minification now respects HTML spec (it still worked before because browsers can handle invalid HTML well and minifiers take advantage of it) +- Show all errors on `zola serve` +- `zola serve` now properly returns a 404 +- Fix `zola serve` having issues with config files in separate dir +- Fix code blocks content not being escaped when not using syntax highlighting ## 0.14.0 (2021-07-19) diff --git a/components/rendering/src/codeblock/highlight.rs b/components/rendering/src/codeblock/highlight.rs index dade4318..e408b326 100644 --- a/components/rendering/src/codeblock/highlight.rs +++ b/components/rendering/src/codeblock/highlight.rs @@ -1,6 +1,7 @@ use std::fmt::Write; use config::highlighting::{SyntaxAndTheme, CLASS_STYLE}; +use tera::escape_html; use syntect::easy::HighlightLines; use syntect::highlighting::{Color, Theme}; use syntect::html::{ @@ -113,7 +114,7 @@ impl<'config> SyntaxHighlighter<'config> { match self { Inlined(h) => h.highlight_line(line), Classed(h) => h.highlight_line(line), - NoHighlight => line.to_owned(), + NoHighlight => escape_html(line), } } @@ -223,4 +224,18 @@ mod tests { assert!(out.starts_with(r#"")); } + + #[test] + fn no_highlight_escapes_html() { + let mut config = Config::default(); + config.markdown.highlight_code = false; + let code = ""; + let syntax_and_theme = resolve_syntax_and_theme(Some("py"), &config); + let mut highlighter = SyntaxHighlighter::new(false, syntax_and_theme); + let mut out = String::new(); + for line in LinesWithEndings::from(&code) { + out.push_str(&highlighter.highlight_line(line)); + } + assert!(!out.contains("