Opened 12 years ago
Closed 12 years ago
#890 closed defect (fixed)
hyde doesn't do any HTML-escaping for unknown languages
Reported by: | sjamaan | Owned by: | Moritz Heidkamp |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | extensions | Version: | |
Keywords: | escaping, html, hyde | Cc: | |
Estimated difficulty: |
Description
The following will put the HTML code as-is into the output instead of escaping the angular brackets.
<enscript highlight="html"> <div> <span>Hello, <strong>dear</strong> friends.</span> <span>This is a simple example.</span> </div> </enscript>
The problem here is that hyde calls colorize with an exception handler which just returns the original code. This code is then injected, whereas colorize will return HTML, taking care of escaping.
Actually, hyde should choose whether it wants to do string manipulation or use SXML throughout. Using inject
is a nasty hack and should be avoided. Take a look at qwiki; it calls html->sxml
on the output of colorize and any other user-supplied HTML. If hyde would do this, it also ensures that any mistakes in any of the converters (or the user's own code) don't mess up the SXML structure.
Attachments (1)
Change History (2)
Changed 12 years ago by
Attachment: | colorize-bugfix.patch added |
---|
comment:1 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Thanks for the patch, I applied it to trunk and will include it in the next release. I'm not quite sold on SXML all the way down. I'll give it some more though :-) Thanks!
Fix for the immediate bug