Opened 7 years ago

Closed 7 years ago

#890 closed defect (fixed)

hyde doesn't do any HTML-escaping for unknown languages

Reported by: sjamaan Owned by: syn
Priority: major Milestone:
Component: extensions Version:
Keywords: escaping, html, hyde Cc:
Estimated difficulty:

Description

The following will put the HTML code as-is into the output instead of escaping the angular brackets.

<enscript highlight="html">
<div>
  <span>Hello, <strong>dear</strong> friends.</span>
  <span>This is a simple example.</span>
</div>
</enscript>

The problem here is that hyde calls colorize with an exception handler which just returns the original code. This code is then injected, whereas colorize will return HTML, taking care of escaping.

Actually, hyde should choose whether it wants to do string manipulation or use SXML throughout. Using inject is a nasty hack and should be avoided. Take a look at qwiki; it calls html->sxml on the output of colorize and any other user-supplied HTML. If hyde would do this, it also ensures that any mistakes in any of the converters (or the user's own code) don't mess up the SXML structure.

Attachments (1)

colorize-bugfix.patch (634 bytes) - added by sjamaan 7 years ago.
Fix for the immediate bug

Download all attachments as: .zip

Change History (2)

Changed 7 years ago by sjamaan

Fix for the immediate bug

comment:1 Changed 7 years ago by syn

  • Resolution set to fixed
  • Status changed from new to closed

Thanks for the patch, I applied it to trunk and will include it in the next release. I'm not quite sold on SXML all the way down. I'll give it some more though :-) Thanks!

Note: See TracTickets for help on using tickets.