fix: fix for html injection

harshithad0703 · harshithad0703 · commit 38cca9fe31d9 · 2025-02-12T12:28:55.000+05:30
diff --git a/src/helper/enumerate-entries.ts b/src/helper/enumerate-entries.ts
@@ -42,7 +42,7 @@ export function enumerateContents(
 }
 
 export function textNodeToHTML(node: TextNode, renderOption: RenderOption): string {
-  let text = node.text;
+  let text = escapeHtml(node.text);
   if (node.classname || node.id) {
     text = (renderOption[MarkType.CLASSNAME_OR_ID] as RenderMark)(text, node.classname, node.id);
   }
@@ -158,3 +158,10 @@ function nodeToHTML(
     }
   }
 }
+
+function escapeHtml(text: string): string {
+  return text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+}

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ export function enumerateContents(`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`export function textNodeToHTML(node: TextNode, renderOption: RenderOption): string {`
`45`		`- let text = node.text;`
	`45`	`+ let text = escapeHtml(node.text);`
`46`	`46`	`if (node.classname \|\| node.id) {`
`47`	`47`	`text = (renderOption[MarkType.CLASSNAME_OR_ID] as RenderMark)(text, node.classname, node.id);`
`48`	`48`	`}`
`@@ -158,3 +158,10 @@ function nodeToHTML(`
`158`	`158`	`}`
`159`	`159`	`}`
`160`	`160`	`}`
	`161`	`+`
	`162`	`+function escapeHtml(text: string): string {`
	`163`	`+ return text`
	`164`	`+ .replace(/&/g, '&')`
	`165`	`+ .replace(/</g, '<')`
	`166`	`+ .replace(/>/g, '>')`
	`167`	`+}`