From 38e5eeea00a56d548dee683eaaf9158ce335175d Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Mon, 4 Nov 2024 11:31:44 +0000 Subject: [PATCH] Fix markdown escaping wrongly passing html through (#28363) * Fix markdown escaping wrongly passing html through Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Add comment Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- src/Markdown.ts | 5 ++++- test/unit-tests/editor/serialize-test.ts | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/Markdown.ts b/src/Markdown.ts index 5e4265bc26..9a346bf2f6 100644 --- a/src/Markdown.ts +++ b/src/Markdown.ts @@ -383,6 +383,9 @@ export default class Markdown { if (isMultiLine(node) && node.next) this.lit("\n\n"); }; - return renderer.render(this.parsed); + // We inhibit the default escape function as we escape the entire output string to correctly handle backslashes + renderer.esc = (input: string) => input; + + return escape(renderer.render(this.parsed)); } } diff --git a/test/unit-tests/editor/serialize-test.ts b/test/unit-tests/editor/serialize-test.ts index e9f905125b..8920bf1747 100644 --- a/test/unit-tests/editor/serialize-test.ts +++ b/test/unit-tests/editor/serialize-test.ts @@ -9,7 +9,7 @@ Please see LICENSE files in the repository root for full details. import { mocked } from "jest-mock"; import EditorModel from "../../../src/editor/model"; -import { htmlSerializeIfNeeded } from "../../../src/editor/serialize"; +import { htmlSerializeFromMdIfNeeded, htmlSerializeIfNeeded } from "../../../src/editor/serialize"; import { createPartCreator } from "./mock"; import { IConfigOptions } from "../../../src/IConfigOptions"; import SettingsStore from "../../../src/settings/SettingsStore"; @@ -71,6 +71,12 @@ describe("editor/serialize", function () { const html = htmlSerializeIfNeeded(model, {}); expect(html).toBe("*hello* world"); }); + it("escaped markdown should not retain backslashes around other markdown", function () { + const pc = createPartCreator(); + const model = new EditorModel([pc.plain("\\*hello\\* **world**")], pc); + const html = htmlSerializeIfNeeded(model, {}); + expect(html).toBe("*hello* <strong>world</strong>"); + }); it("escaped markdown should convert HTML entities", function () { const pc = createPartCreator(); const model = new EditorModel([pc.plain("\\*hello\\* world < hey world!")], pc); @@ -153,6 +159,14 @@ describe("editor/serialize", function () { const html = htmlSerializeIfNeeded(model, { forceHTML: true, useMarkdown: false }); expect(html).toBe("hello world"); }); + it("should treat tags not in allowlist as plaintext", () => { + const html = htmlSerializeFromMdIfNeeded("<b>test</b>", {}); + expect(html).toBeUndefined(); + }); + it("should treat tags not in allowlist as plaintext even if escaped", () => { + const html = htmlSerializeFromMdIfNeeded("\\<b>test</b>", {}); + expect(html).toBe("<b>test</b>"); + }); }); describe("feature_latex_maths", () => {