From 9c19e626754731e737208dcf4ee4e46f9d5bcd22 Mon Sep 17 00:00:00 2001
From: Linus Groh <mail@linusgroh.de>
Date: Wed, 19 May 2021 23:30:42 +0100
Subject: [PATCH] LibMarkdown: Wrap code block language string in
 escape_html_entities()

This would allow HTML injection as the string was inserted into the HTML
output with no sanitation whatsoever.

Fixes #7123.
---
 Userland/Libraries/LibMarkdown/CodeBlock.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibMarkdown/CodeBlock.cpp b/Userland/Libraries/LibMarkdown/CodeBlock.cpp
index 3a6b8dff157..de2bb0958b7 100644
--- a/Userland/Libraries/LibMarkdown/CodeBlock.cpp
+++ b/Userland/Libraries/LibMarkdown/CodeBlock.cpp
@@ -39,7 +39,7 @@ String CodeBlock::render_to_html() const
     if (style_language.is_empty())
         builder.append("<code>");
     else
-        builder.appendff("<code class=\"{}\">", style_language);
+        builder.appendff("<code class=\"{}\">", escape_html_entities(style_language));
 
     if (style_language == "js")
         builder.append(JS::MarkupGenerator::html_from_source(m_code));