fergalmoran/ladybird
1
0
Fork 0
mirror of https://github.com/fergalmoran/ladybird.git synced 2025-12-22 09:19:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibMarkdown: Wrap code block language string in escape_html_entities()

Browse Source 
This would allow HTML injection as the string was inserted into the HTML
output with no sanitation whatsoever.

Fixes #7123.
This commit is contained in:
Linus Groh
2021-05-19 23:30:42 +01:00
parent 0a70e1728a
commit 9c19e62675
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Userland/Libraries/LibMarkdown/CodeBlock.cpp
View File

@@ -39,7 +39,7 @@ String CodeBlock::render_to_html() const
if (style_language.is_empty())
builder.append("<code>");
else
builder.appendff("<code class=\"{}\">", style_language);
builder.appendff("<code class=\"{}\">", escape_html_entities(style_language));
if (style_language == "js")
builder.append(JS::MarkupGenerator::html_from_source(m_code));