Browse Source

Fix class injection in fence renderer

Close https://github.com/markdown-it/markdown-it/issues/128
pull/135/head
Alex Kocharin 10 years ago
parent
commit
019bbda5f5
  1. 5
      lib/renderer.js
  2. 10
      test/fixtures/markdown-it/commonmark_extras.txt
  3. 17
      test/fixtures/markdown-it/xss.txt

5
lib/renderer.js

@ -30,11 +30,12 @@ default_rules.code_block = function (tokens, idx /*, options, env */) {
default_rules.fence = function (tokens, idx, options, env, self) { default_rules.fence = function (tokens, idx, options, env, self) {
var token = tokens[idx], var token = tokens[idx],
info = token.info ? unescapeAll(token.info).trim() : '',
langName = '', langName = '',
highlighted; highlighted;
if (token.info) { if (info) {
langName = unescapeAll(token.info.trim().split(/\s+/g)[0]); langName = info.split(/\s+/g)[0];
token.attrPush([ 'class', options.langPrefix + langName ]); token.attrPush([ 'class', options.langPrefix + langName ]);
} }

10
test/fixtures/markdown-it/commonmark_extras.txt

@ -98,6 +98,16 @@ Regression test (code block + regular paragraph)
</blockquote> </blockquote>
. .
Don't output empty class here:
.
```&#x20;
test
```
.
<pre><code>test
</code></pre>
.
Coverage. Directive can terminate paragraph. Coverage. Directive can terminate paragraph.
. .

17
test/fixtures/markdown-it/xss.txt

@ -109,3 +109,20 @@ References
. .
<p>[test]: javascript:alert(1)</p> <p>[test]: javascript:alert(1)</p>
. .
Make sure we decode entities before split:
.
```js&#32;custom-class
test1
```
```js&#x0C;custom-class
test2
```
.
<pre><code class="js">test1
</code></pre>
<pre><code class="js">test2
</code></pre>
.

Loading…
Cancel
Save