Fix encoding issues in marked.js with ampersands.
Review Request #6560 — Created Nov. 5, 2014 and submitted
By default, when processing text blocks in marked.js, ampersands
wouldn't be encoded to "&". This caused problems when attempting to
write a literal "<", which would end up staying as a literal "<",
turning into a "<" during render.This happened because text blocks weren't specifying that ampersands
needed to be encoded. This simple change specifies that ampersand
encoding is required when escaping text.Note that no XSS issues were resulting from the above flaw in marked.js.
It was purely a visual rendering issue.
Tested a variety of characters and didn't see any problems.
Setting this flag to true just tells it to convert & to &.