Escape content before going into google-code-prettify.

Review Request #4916 — Created Nov. 8, 2013 and submitted

Information

Review Board
master

Reviewers

Escape content before going into google-code-prettify.

marked.js passes raw text, not escaped text, to google-code-prettify.
This results in google-code-prettify highlighting content and otherwise
providing passed text as-is. This causes problems if you have any code
you're trying to highlight that looks like HTML, as it remains HTML.
Of course, this also means that HTML can be injected, leading to
attacks.

We now escape what marked.js gives us, and pass it to
google-code-prettify, which handles escaped content just fine.

Reproduced the bug I saw on /r/4861/. I added code blocks that contained
HTML code, and was able to inject HTML (plus the tags didn't show up
highlighted, as I wanted to see). After this change, I couldn't inject
HTML, and my tag-like code was showing up highlighted properly.

david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed