From ffbbcd65c1b621cec496e89d400cb0bf35eb3845 Mon Sep 17 00:00:00 2001 From: Tuomas Hietanen Date: Tue, 28 Oct 2025 16:59:08 +0000 Subject: [PATCH] Some html encodes added (to prevent XSS) --- src/FSharp.Formatting.Markdown/HtmlFormatting.fs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/FSharp.Formatting.Markdown/HtmlFormatting.fs b/src/FSharp.Formatting.Markdown/HtmlFormatting.fs index 600bd742d..b492289a5 100644 --- a/src/FSharp.Formatting.Markdown/HtmlFormatting.fs +++ b/src/FSharp.Formatting.Markdown/HtmlFormatting.fs @@ -76,7 +76,7 @@ let rec internal formatSpan (ctx: FormattingContext) span = // use mathjax grammar, for detail, check: http://www.mathjax.org/ ctx.Writer.Write("\\(" + (htmlEncode body) + "\\)") - | AnchorLink(id, _) -> ctx.Writer.Write(" ") + | AnchorLink(id, _) -> ctx.Writer.Write(" ") | EmbedSpans(cmd, _) -> formatSpans ctx (cmd.Render()) | Literal(str, _) -> ctx.Writer.Write(str) | HardLineBreak(_) -> ctx.Writer.Write("
" + ctx.Newline) @@ -181,7 +181,8 @@ let rec internal formatParagraph (ctx: FormattingContext) paragraph = if ctx.GenerateHeaderAnchors then let anchorName = formatAnchor ctx spans - ctx.Writer.Write(sprintf """""" anchorName anchorName) + let safeAnchorName = htmlEncodeQuotes anchorName + ctx.Writer.Write(sprintf """""" safeAnchorName safeAnchorName) formatSpans ctx spans ctx.Writer.Write "" else @@ -210,7 +211,7 @@ let rec internal formatParagraph (ctx: FormattingContext) paragraph = if String.IsNullOrWhiteSpace(language) then ctx.Writer.Write(sprintf "
")
         else
-            let langCode = sprintf "language-%s" language
+            let langCode = sprintf "language-%s" (htmlEncodeQuotes language)
             ctx.Writer.Write(sprintf "
" langCode)
 
         ctx.Writer.Write(htmlEncode code)