id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	difficulty
890	hyde doesn't do any HTML-escaping for unknown languages	sjamaan	Moritz Heidkamp	"The following will put the HTML code as-is into the output instead of escaping the angular brackets.

{{{
<enscript highlight=""html"">
<div>
  <span>Hello, <strong>dear</strong> friends.</span>
  <span>This is a simple example.</span>
</div>
</enscript>
}}}

The problem here is that hyde calls colorize with an exception handler which just returns the original code.  This code is then injected, whereas colorize will return HTML, taking care of escaping.

Actually, hyde should choose whether it wants to do string manipulation or use SXML throughout.  Using {{{inject}}} is a nasty hack and should be avoided. Take a look at qwiki; it calls {{{html->sxml}}} on the output of colorize and any other user-supplied HTML.  If hyde would do this, it also ensures that any mistakes in any of the converters (or the user's own code) don't mess up the SXML structure."	defect	closed	major		extensions		fixed	escaping, html, hyde