From 2f1eb4d5f3f373c6d0849e6071f763b53d51d7d5 Mon Sep 17 00:00:00 2001
From: AngeloR <xangelo@gmail.com>
Date: Wed, 10 Dec 2025 02:33:43 -0500
Subject: [PATCH] bug: do not escape html entities in code spans/blocks

---
 src/lib/outline.ts           |  3 ++-
 src/lib/parsers/md-parser.ts | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/lib/outline.ts b/src/lib/outline.ts
index f835c02..d56fb03 100644
--- a/src/lib/outline.ts
+++ b/src/lib/outline.ts
@@ -9,7 +9,8 @@ import { $ } from 'dom';
 
 marked.use({
   renderer: {
-    link: markdownParsers.link
+    link: markdownParsers.link,
+    codespan: markdownParsers.codespan as any
   }
 });
 
diff --git a/src/lib/parsers/md-parser.ts b/src/lib/parsers/md-parser.ts
index f29809f..2b633ae 100644
--- a/src/lib/parsers/md-parser.ts
+++ b/src/lib/parsers/md-parser.ts
@@ -3,3 +3,33 @@ import { Tokens } from 'marked';
 export function link(token: Tokens.Link): string {
   return `<a href="${token.href}" ${token.title ? `title="${token.title}"` : ''} target="_blank">${token.text}</a>`;
 }
+
+function decodeHtmlEntities(input: string): string {
+  if (!input) {
+    return '';
+  }
+  return input
+    .replace(/&amp;/g, '&')
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>')
+    .replace(/&quot;/g, '"')
+    .replace(/&#39;/g, "'");
+}
+
+function escapeForCode(input: string): string {
+  if (!input) {
+    return '';
+  }
+  // For code content, escape only what is necessary for safe HTML text rendering.
+  // We intentionally do NOT escape '>' so sequences like `g>g` render literally.
+  return input
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;');
+}
+
+export function codespan(token: Tokens.Codespan): string {
+  const text = token.text;
+  const decoded = decodeHtmlEntities(text);
+  const escaped = escapeForCode(decoded);
+  return `<code>${escaped}</code>`;
+}