mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-12-13 01:40:36 +00:00
LibMarkdown: Wrap code block language string in escape_html_entities()
This would allow HTML injection as the string was inserted into the HTML output with no sanitation whatsoever. Fixes #7123.
This commit is contained in:
parent
0a70e1728a
commit
9c19e62675
Notes:
sideshowbarker
2024-07-18 17:44:13 +09:00
1 changed files with 1 additions and 1 deletions
|
@ -39,7 +39,7 @@ String CodeBlock::render_to_html() const
|
|||
if (style_language.is_empty())
|
||||
builder.append("<code>");
|
||||
else
|
||||
builder.appendff("<code class=\"{}\">", style_language);
|
||||
builder.appendff("<code class=\"{}\">", escape_html_entities(style_language));
|
||||
|
||||
if (style_language == "js")
|
||||
builder.append(JS::MarkupGenerator::html_from_source(m_code));
|
||||
|
|
Loading…
Reference in a new issue