From 38e5eeea00a56d548dee683eaaf9158ce335175d Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Mon, 4 Nov 2024 11:31:44 +0000
Subject: [PATCH] Fix markdown escaping wrongly passing html through (#28363)

* Fix markdown escaping wrongly passing html through

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Add comment

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---
 src/Markdown.ts                          |  5 ++++-
 test/unit-tests/editor/serialize-test.ts | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/Markdown.ts b/src/Markdown.ts
index 5e4265bc26..9a346bf2f6 100644
--- a/src/Markdown.ts
+++ b/src/Markdown.ts
@@ -383,6 +383,9 @@ export default class Markdown {
             if (isMultiLine(node) && node.next) this.lit("\n\n");
         };
 
-        return renderer.render(this.parsed);
+        // We inhibit the default escape function as we escape the entire output string to correctly handle backslashes
+        renderer.esc = (input: string) => input;
+
+        return escape(renderer.render(this.parsed));
     }
 }
diff --git a/test/unit-tests/editor/serialize-test.ts b/test/unit-tests/editor/serialize-test.ts
index e9f905125b..8920bf1747 100644
--- a/test/unit-tests/editor/serialize-test.ts
+++ b/test/unit-tests/editor/serialize-test.ts
@@ -9,7 +9,7 @@ Please see LICENSE files in the repository root for full details.
 import { mocked } from "jest-mock";
 
 import EditorModel from "../../../src/editor/model";
-import { htmlSerializeIfNeeded } from "../../../src/editor/serialize";
+import { htmlSerializeFromMdIfNeeded, htmlSerializeIfNeeded } from "../../../src/editor/serialize";
 import { createPartCreator } from "./mock";
 import { IConfigOptions } from "../../../src/IConfigOptions";
 import SettingsStore from "../../../src/settings/SettingsStore";
@@ -71,6 +71,12 @@ describe("editor/serialize", function () {
             const html = htmlSerializeIfNeeded(model, {});
             expect(html).toBe("*hello* world");
         });
+        it("escaped markdown should not retain backslashes around other markdown", function () {
+            const pc = createPartCreator();
+            const model = new EditorModel([pc.plain("\\*hello\\* **world**")], pc);
+            const html = htmlSerializeIfNeeded(model, {});
+            expect(html).toBe("*hello* <strong>world</strong>");
+        });
         it("escaped markdown should convert HTML entities", function () {
             const pc = createPartCreator();
             const model = new EditorModel([pc.plain("\\*hello\\* world < hey world!")], pc);
@@ -153,6 +159,14 @@ describe("editor/serialize", function () {
             const html = htmlSerializeIfNeeded(model, { forceHTML: true, useMarkdown: false });
             expect(html).toBe("hello world");
         });
+        it("should treat tags not in allowlist as plaintext", () => {
+            const html = htmlSerializeFromMdIfNeeded("<b>test</b>", {});
+            expect(html).toBeUndefined();
+        });
+        it("should treat tags not in allowlist as plaintext even if escaped", () => {
+            const html = htmlSerializeFromMdIfNeeded("\\<b>test</b>", {});
+            expect(html).toBe("&lt;b&gt;test&lt;/b&gt;");
+        });
     });
 
     describe("feature_latex_maths", () => {