Fix encoding issues in marked.js with ampersands.

Review Request #6560 — Created Nov. 5, 2014 and submitted

Information

Review Board
release-2.0.9-prep
ac49796...

Reviewers

By default, when processing text blocks in marked.js, ampersands
wouldn't be encoded to "&". This caused problems when attempting to
write a literal "<", which would end up staying as a literal "<",
turning into a "<" during render.

This happened because text blocks weren't specifying that ampersands
needed to be encoded. This simple change specifies that ampersand
encoding is required when escaping text.

Note that no XSS issues were resulting from the above flaw in marked.js.
It was purely a visual rendering issue.

Tested a variety of characters and didn't see any problems.

Setting this flag to true just tells it to convert & to &.

reviewbot
  1. Tool: Pyflakes
    Ignored Files:
        reviewboard/static/lib/js/marked.js
    
    
    
    Tool: PEP8 Style Checker
    Ignored Files:
        reviewboard/static/lib/js/marked.js
    
    
  2. 
      
david
  1. Ship It!

  2. 
      
chipx86
Review request changed
Status:
Completed