enh(parser) Warn if unescaped HTML is present (#3057)

highlightjs · Mar 22, 2021 · 8791320 · 8791320
1 parent fbdbc7b
commit 8791320
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/src/highlight.js b/src/highlight.js
@@ -42,6 +42,7 @@ const HLJS = function(hljs) {
   // calling the `hljs.configure` function.
   /** @type HLJSOptions */
   let options = {
+    ignoreUnescapedHTML: false,
     noHighlightRe: /^(no-?highlight)$/i,
     languageDetectRe: /\blang(?:uage)?-([\w-]+)\b/i,
     classPrefix: 'hljs-',
@@ -668,15 +669,20 @@ const HLJS = function(hljs) {
 
     if (shouldNotHighlight(language)) return;
 
-    // support for v10 API
     fire("before:highlightElement",
       { el: element, language: language });
 
+    // we should be all text, no child nodes
+    if (!options.ignoreUnescapedHTML && element.children.length > 0) {
+      console.warn("One of your code blocks includes unescaped HTML. This is a potentially serious security risk.");
+      console.warn("https://github.com/highlightjs/highlight.js/issues/2886");
+      console.warn(element);
+    }
+
     node = element;
     const text = node.textContent;
     const result = language ? highlight(text, { language, ignoreIllegals: true }) : highlightAuto(text);
 
-    // support for v10 API
     fire("after:highlightElement", { el: element, result, text });
 
     element.innerHTML = result.value;

diff --git a/types/index.d.ts b/types/index.d.ts
@@ -123,6 +123,7 @@ interface HLJSOptions {
    classPrefix: string
    languages?: string[]
    __emitter: EmitterConstructor
+   ignoreUnescapedHTML?: boolean
 }
 
 interface CallbackResponse {