(parser) properly escape ' and " in HTML output (#2564)

* escape quotes also in final HTML output * [style] update test coding style * update markup tests with new escaping This shouldn't be a security issue -- we've always escaped double quotes inside of HTML attribute values (where they could be used to break out of context) - and we've always used double quotes for enclosing attribute values. This just goes all the way and now properly escapes quotes everywhere. Better safe than sorry.
highlightjs · May 22, 2020 · 3e9c1b1 · 3e9c1b1
1 parent a6f0a34
commit 3e9c1b1
Show file tree

Hide file tree

Showing 156 changed files with 650 additions and 634 deletions.
diff --git a/src/lib/utils.js b/src/lib/utils.js
@@ -3,7 +3,12 @@
  * @returns {string}
  */
 export function escapeHTML(value) {
-  return value.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
 }
 
 /**
@@ -121,7 +126,7 @@ export function mergeStreams(original, highlighted, value) {
   function open(node) {
     /** @param {Attr} attr */
     function attr_str(attr) {
-      return ' ' + attr.nodeName + '="' + escapeHTML(attr.value).replace(/"/g, '&quot;') + '"';
+      return ' ' + attr.nodeName + '="' + escapeHTML(attr.value) + '"';
     }
     // @ts-ignore
     result += '<' + tag(node) + [].map.call(node.attributes, attr_str).join('') + '>';

diff --git a/test/markup/abnf/default.expect.txt b/test/markup/abnf/default.expect.txt
@@ -17,6 +17,6 @@ a
                 / insensitive
 
 <span class="hljs-attribute">hex-codes</span>   =   <span class="hljs-symbol">%x68.65.6C.6C.6F</span>
-<span class="hljs-attribute">literal</span>     =   <span class="hljs-string">"string literal"</span>
-<span class="hljs-attribute">sensitive</span>   =   <span class="hljs-symbol">%s</span><span class="hljs-string">"case-sensitive string"</span>
-<span class="hljs-attribute">insensitive</span> =   <span class="hljs-symbol">%i</span><span class="hljs-string">"case-insensitive string"</span>
+<span class="hljs-attribute">literal</span>     =   <span class="hljs-string">&quot;string literal&quot;</span>
+<span class="hljs-attribute">sensitive</span>   =   <span class="hljs-symbol">%s</span><span class="hljs-string">&quot;case-sensitive string&quot;</span>
+<span class="hljs-attribute">insensitive</span> =   <span class="hljs-symbol">%i</span><span class="hljs-string">&quot;case-insensitive string&quot;</span>
diff --git a/test/markup/accesslog/default.expect.txt b/test/markup/accesslog/default.expect.txt
@@ -1,5 +1,5 @@
-<span class="hljs-number">20.164.151.111</span> - - <span class="hljs-string">[20/Aug/2015:22:20:18 -0400]</span> <span class="hljs-string">"<span class="hljs-keyword">GET</span> /mywebpage/index.php HTTP/1.1"</span> <span class="hljs-number">403</span> <span class="hljs-number">772</span> <span class="hljs-string">"-"</span> <span class="hljs-string">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"</span>
-<span class="hljs-number">127.0.0.1</span> user-identifier frank <span class="hljs-string">[10/Oct/2000:13:55:36 -0700]</span> <span class="hljs-string">"<span class="hljs-keyword">GET</span> /apache_pb.gif HTTP/1.0"</span> <span class="hljs-number">200</span> <span class="hljs-number">2326</span>
-<span class="hljs-number">192.168.2.20</span> - - <span class="hljs-string">[28/Jul/2006:10:27:10 -0300]</span> <span class="hljs-string">"<span class="hljs-keyword">GET</span> /cgi-bin/try/ HTTP/1.0"</span> <span class="hljs-number">200</span> <span class="hljs-number">3395</span>
-<span class="hljs-number">127.0.0.90</span> - - <span class="hljs-string">[13/Sep/2006:07:00:53 -0700]</span> <span class="hljs-string">"PROPFIND /svn/some_url/Extranet/branches/SOW-101 HTTP/1.1"</span> <span class="hljs-number">401</span> <span class="hljs-number">587</span>
-<span class="hljs-number">66.249.78.17</span> – – <span class="hljs-string">[13/Jul/2015:07:18:58 -0400]</span> <span class="hljs-string">"<span class="hljs-keyword">GET</span> /robots.txt HTTP/1.1"</span> <span class="hljs-number">200</span> <span class="hljs-number">0</span> <span class="hljs-string">"-"</span> <span class="hljs-string">"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"</span>
+<span class="hljs-number">20.164.151.111</span> - - <span class="hljs-string">[20/Aug/2015:22:20:18 -0400]</span> <span class="hljs-string">&quot;<span class="hljs-keyword">GET</span> /mywebpage/index.php HTTP/1.1&quot;</span> <span class="hljs-number">403</span> <span class="hljs-number">772</span> <span class="hljs-string">&quot;-&quot;</span> <span class="hljs-string">&quot;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1&quot;</span>
+<span class="hljs-number">127.0.0.1</span> user-identifier frank <span class="hljs-string">[10/Oct/2000:13:55:36 -0700]</span> <span class="hljs-string">&quot;<span class="hljs-keyword">GET</span> /apache_pb.gif HTTP/1.0&quot;</span> <span class="hljs-number">200</span> <span class="hljs-number">2326</span>
+<span class="hljs-number">192.168.2.20</span> - - <span class="hljs-string">[28/Jul/2006:10:27:10 -0300]</span> <span class="hljs-string">&quot;<span class="hljs-keyword">GET</span> /cgi-bin/try/ HTTP/1.0&quot;</span> <span class="hljs-number">200</span> <span class="hljs-number">3395</span>
+<span class="hljs-number">127.0.0.90</span> - - <span class="hljs-string">[13/Sep/2006:07:00:53 -0700]</span> <span class="hljs-string">&quot;PROPFIND /svn/some_url/Extranet/branches/SOW-101 HTTP/1.1&quot;</span> <span class="hljs-number">401</span> <span class="hljs-number">587</span>
+<span class="hljs-number">66.249.78.17</span> – – <span class="hljs-string">[13/Jul/2015:07:18:58 -0400]</span> <span class="hljs-string">&quot;<span class="hljs-keyword">GET</span> /robots.txt HTTP/1.1&quot;</span> <span class="hljs-number">200</span> <span class="hljs-number">0</span> <span class="hljs-string">&quot;-&quot;</span> <span class="hljs-string">&quot;Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)&quot;</span>
diff --git a/test/markup/arcade/profile.expect.txt b/test/markup/arcade/profile.expect.txt
@@ -2,8 +2,8 @@
   Isolated test for the most recent version
 */</span>
 <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">offsetPopulation</span>(<span class="hljs-params">offset</span>)</span>{
-   <span class="hljs-keyword">var</span> popDensity = <span class="hljs-built_in">Round</span>( <span class="hljs-symbol">$feature</span>.POPULATION / <span class="hljs-built_in">AreaGeodetic</span>(<span class="hljs-built_in">Geometry</span>(<span class="hljs-symbol">$feature</span>), <span class="hljs-string">"square-kilometers"</span>) );
-   <span class="hljs-keyword">var</span> geom = <span class="hljs-built_in">Geometry</span>({ <span class="hljs-string">'x'</span>: offset.x, <span class="hljs-string">'y'</span>: offset.y, <span class="hljs-string">'spatialReference'</span>:{<span class="hljs-string">'wkid'</span>:<span class="hljs-number">102100</span>} });
-   <span class="hljs-keyword">var</span> myLayer = <span class="hljs-built_in">FeatureSet</span>(<span class="hljs-symbol">$map</span>, [<span class="hljs-string">"POPULATION"</span>, <span class="hljs-string">"ELECTION-DATA"</span>]);
+   <span class="hljs-keyword">var</span> popDensity = <span class="hljs-built_in">Round</span>( <span class="hljs-symbol">$feature</span>.POPULATION / <span class="hljs-built_in">AreaGeodetic</span>(<span class="hljs-built_in">Geometry</span>(<span class="hljs-symbol">$feature</span>), <span class="hljs-string">&quot;square-kilometers&quot;</span>) );
+   <span class="hljs-keyword">var</span> geom = <span class="hljs-built_in">Geometry</span>({ <span class="hljs-string">&#x27;x&#x27;</span>: offset.x, <span class="hljs-string">&#x27;y&#x27;</span>: offset.y, <span class="hljs-string">&#x27;spatialReference&#x27;</span>:{<span class="hljs-string">&#x27;wkid&#x27;</span>:<span class="hljs-number">102100</span>} });
+   <span class="hljs-keyword">var</span> myLayer = <span class="hljs-built_in">FeatureSet</span>(<span class="hljs-symbol">$map</span>, [<span class="hljs-string">&quot;POPULATION&quot;</span>, <span class="hljs-string">&quot;ELECTION-DATA&quot;</span>]);
    <span class="hljs-keyword">return</span> popDensity;
-}
+}
diff --git a/test/markup/arduino/default.expect.txt b/test/markup/arduino/default.expect.txt
@@ -22,3 +22,4 @@
   <span class="hljs-built_in">digitalWrite</span>(led, <span class="hljs-literal">LOW</span>);    <span class="hljs-comment">// turn the LED off by making the voltage LOW</span>
   <span class="hljs-built_in">delay</span>(<span class="hljs-number">1000</span>);               <span class="hljs-comment">// wait for a second</span>
 }
+
diff --git a/test/markup/bash/escaped-quote.expect.txt b/test/markup/bash/escaped-quote.expect.txt
@@ -1,2 +1,2 @@
 <span class="hljs-comment"># Escaped double-quote is not a string</span>
-<span class="hljs-built_in">echo</span> <span class="hljs-string">'"quoted"'</span> | tr -d \" &gt; text.txt
+<span class="hljs-built_in">echo</span> <span class="hljs-string">&#x27;&quot;quoted&quot;&#x27;</span> | tr -d \&quot; &gt; text.txt
diff --git a/test/markup/bash/no-numbers.expect.txt b/test/markup/bash/no-numbers.expect.txt
@@ -1,3 +1,3 @@
-<span class="hljs-comment"># numbers aren't highlighted in bash as their semantics is</span>
+<span class="hljs-comment"># numbers aren&#x27;t highlighted in bash as their semantics is</span>
 <span class="hljs-comment"># not strictly defined for command line parameters</span>
 $ tail -10 access.log
diff --git a/test/markup/bash/strings.expect.txt b/test/markup/bash/strings.expect.txt
@@ -1,3 +1,3 @@
-SCRIPT_DIR=<span class="hljs-string">"<span class="hljs-subst">$( cd <span class="hljs-string">"<span class="hljs-subst">$( dirname <span class="hljs-string">"<span class="hljs-variable">${BASH_SOURCE[0]}</span>"</span> )</span>"</span> &gt;/dev/null 2&gt;&amp;1 &amp;&amp; pwd )</span>"</span>
-TLS_DIR=<span class="hljs-string">"<span class="hljs-variable">$SCRIPT_DIR</span>/../src/main/resources/tls"</span>
-ROOT_DIR=<span class="hljs-string">"<span class="hljs-variable">$SCRIPT_DIR</span>/.."</span>
+SCRIPT_DIR=<span class="hljs-string">&quot;<span class="hljs-subst">$( cd <span class="hljs-string">&quot;<span class="hljs-subst">$( dirname <span class="hljs-string">&quot;<span class="hljs-variable">${BASH_SOURCE[0]}</span>&quot;</span> )</span>&quot;</span> &gt;/dev/null 2&gt;&amp;1 &amp;&amp; pwd )</span>&quot;</span>
+TLS_DIR=<span class="hljs-string">&quot;<span class="hljs-variable">$SCRIPT_DIR</span>/../src/main/resources/tls&quot;</span>
+ROOT_DIR=<span class="hljs-string">&quot;<span class="hljs-variable">$SCRIPT_DIR</span>/..&quot;</span>
diff --git a/test/markup/clojure/globals_definition.expect.txt b/test/markup/clojure/globals_definition.expect.txt
@@ -4,34 +4,34 @@
 
 <span class="hljs-comment">; function</span>
 (<span class="hljs-keyword">defn</span> <span class="hljs-title">clojure-function</span> [args]
-  (<span class="hljs-name"><span class="hljs-builtin-name">let</span></span> [string   <span class="hljs-string">"multiline\nstring"</span>
-        regexp   #<span class="hljs-string">"regexp"</span>
+  (<span class="hljs-name"><span class="hljs-builtin-name">let</span></span> [string   <span class="hljs-string">&quot;multiline\nstring&quot;</span>
+        regexp   #<span class="hljs-string">&quot;regexp&quot;</span>
         number   <span class="hljs-number">100</span>,<span class="hljs-number">000</span>
         booleans [<span class="hljs-literal">false</span> <span class="hljs-literal">true</span>]
         keyword  <span class="hljs-symbol">::the-keyword</span>]
     <span class="hljs-comment">;; this is comment</span>
     (<span class="hljs-name"><span class="hljs-builtin-name">if</span></span> <span class="hljs-literal">true</span>
       (<span class="hljs-name"><span class="hljs-builtin-name">-&gt;&gt;</span></span>
-        (<span class="hljs-name"><span class="hljs-builtin-name">list</span></span> [vector] {<span class="hljs-symbol">:map</span> map} #{'set})))))
+        (<span class="hljs-name"><span class="hljs-builtin-name">list</span></span> [vector] {<span class="hljs-symbol">:map</span> map} #{&#x27;set})))))
 
 <span class="hljs-comment">; global</span>
 (<span class="hljs-keyword">def</span> <span class="hljs-title">some-var</span>)
 <span class="hljs-comment">; another one</span>
-(<span class="hljs-keyword">def</span> <span class="hljs-title">alternative-var</span> <span class="hljs-string">"132"</span>)
+(<span class="hljs-keyword">def</span> <span class="hljs-title">alternative-var</span> <span class="hljs-string">&quot;132&quot;</span>)
 <span class="hljs-comment">; defonce</span>
-(<span class="hljs-keyword">defonce</span> ^<span class="hljs-symbol">:private</span> <span class="hljs-title">another-var</span> #<span class="hljs-string">"foo"</span>)
+(<span class="hljs-keyword">defonce</span> ^<span class="hljs-symbol">:private</span> <span class="hljs-title">another-var</span> #<span class="hljs-string">&quot;foo&quot;</span>)
 
 <span class="hljs-comment">; private function</span>
 (<span class="hljs-keyword">defn-</span> <span class="hljs-title">add</span> [x y] (<span class="hljs-name"><span class="hljs-builtin-name">+</span></span> x y))
 
 <span class="hljs-comment">; protocols</span>
 (<span class="hljs-keyword">defprotocol</span> <span class="hljs-title">Fly</span>
-  <span class="hljs-string">"A simple protocol for flying"</span>
-  (<span class="hljs-name">fly</span> [this] <span class="hljs-string">"Method to fly"</span>))
+  <span class="hljs-string">&quot;A simple protocol for flying&quot;</span>
+  (<span class="hljs-name">fly</span> [this] <span class="hljs-string">&quot;Method to fly&quot;</span>))
 
 (<span class="hljs-keyword">defrecord</span> <span class="hljs-title">Bird</span> [name species]
   Fly
-  (<span class="hljs-name">fly</span> [this] (<span class="hljs-name"><span class="hljs-builtin-name">str</span></span> (<span class="hljs-symbol">:name</span> this) <span class="hljs-string">" flies..."</span>)))
+  (<span class="hljs-name">fly</span> [this] (<span class="hljs-name"><span class="hljs-builtin-name">str</span></span> (<span class="hljs-symbol">:name</span> this) <span class="hljs-string">&quot; flies...&quot;</span>)))
 
 <span class="hljs-comment">; multimethods</span>
 (<span class="hljs-keyword">defmulti</span> <span class="hljs-title">service-charge</span> (<span class="hljs-name"><span class="hljs-builtin-name">fn</span></span> [acct] [(<span class="hljs-name">account-level</span> acct) (<span class="hljs-symbol">:tag</span> acct)]))
@@ -43,7 +43,7 @@
 (<span class="hljs-keyword">defmacro</span> <span class="hljs-title">unless</span> [pred a b]
   `(<span class="hljs-name"><span class="hljs-builtin-name">if</span></span> (<span class="hljs-name"><span class="hljs-builtin-name">not</span></span> ~pred) ~a ~b))
 
-(<span class="hljs-name">unless</span> <span class="hljs-literal">false</span> (<span class="hljs-name">println</span> <span class="hljs-string">"Will print"</span>) (<span class="hljs-name">println</span> <span class="hljs-string">"Will not print"</span>))
+(<span class="hljs-name">unless</span> <span class="hljs-literal">false</span> (<span class="hljs-name">println</span> <span class="hljs-string">&quot;Will print&quot;</span>) (<span class="hljs-name">println</span> <span class="hljs-string">&quot;Will not print&quot;</span>))
 
 <span class="hljs-comment">; types</span>
 (<span class="hljs-keyword">deftype</span> <span class="hljs-title">Circle</span> [radius])