1
0
mirror of https://github.com/danog/blackfriday.git synced 2024-11-26 12:04:46 +01:00

Only allow valid HTML entities to be unescaped. Do not escape HTML entities in code blocks.

This commit is contained in:
Faruq Rasid 2018-09-06 17:05:43 +08:00
parent c5c549b063
commit 6762cd3685
3 changed files with 2250 additions and 5 deletions

2235
entities.go Normal file

File diff suppressed because it is too large Load Diff

16
esc.go
View File

@ -13,12 +13,20 @@ var htmlEscaper = [256][]byte{
}
func escapeHTML(w io.Writer, s []byte) {
escapeEntities(w, s, false)
}
func escapeAllHTML(w io.Writer, s []byte) {
escapeEntities(w, s, true)
}
func escapeEntities(w io.Writer, s []byte, escapeValidEntities bool) {
var start, end int
for end < len(s) {
escSeq := htmlEscaper[s[end]]
if escSeq != nil {
isEntity, entityEnd := nodeIsEntity(s, end)
if isEntity {
if isEntity && !escapeValidEntities {
w.Write(s[start : entityEnd+1])
start = entityEnd + 1
} else {
@ -41,8 +49,10 @@ func nodeIsEntity(s []byte, end int) (isEntity bool, endEntityPos int) {
if s[end] == '&' {
for endEntityPos < len(s) {
if s[endEntityPos] == ';' {
isEntity = true
break
if entities[string(s[end:endEntityPos+1])] {
isEntity = true
break
}
}
if !isalnum(s[endEntityPos]) && s[endEntityPos] != '&' && s[endEntityPos] != '#' {
break

View File

@ -616,7 +616,7 @@ func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkSt
}
case Code:
r.out(w, codeTag)
escapeHTML(w, node.Literal)
escapeAllHTML(w, node.Literal)
r.out(w, codeCloseTag)
case Document:
break
@ -762,7 +762,7 @@ func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkSt
r.cr(w)
r.out(w, preTag)
r.tag(w, codeTag[:len(codeTag)-1], attrs)
escapeHTML(w, node.Literal)
escapeAllHTML(w, node.Literal)
r.out(w, codeCloseTag)
r.out(w, preCloseTag)
if node.Parent.Type != Item {