Proper HTML Escaping in code blocks and inline code

AUTHORS

@@ -12,3 +12,4 @@ Evan Klitzke (evan@eklitzke.org)
 Albert Schwarzkopf (dev-maddy@quitesimple.org)
 Ivans Saponenko (ivans.saponenko+maddy@gmail.com)
 Lucian Smith (lpsmith@uw.edu)
+Vardan Petrosyan (github.com/Vardan2009)

CHANGELOG.md

@@ -14,7 +14,7 @@ maddy uses [semver versioning](https://semver.org/).
 
 ## Upcoming
 
-* ...
+* ![**FIXED**](https://img.shields.io/badge/-FIXED-%23090) HTML escaping in code blocks and inline code
 
 ## version 1.6.0 2025-07-26
 

include/maddy/codeblockparser.h

@@ -11,6 +11,7 @@
 #include <string>
 
 #include "maddy/blockparser.h"
+#include "maddy/common.h"
 
 // -----------------------------------------------------------------------------
 
@@ -119,6 +120,8 @@ class CodeBlockParser : public BlockParser
       return;
     }
 
+    line = common::escapeHTML(line);
+
     line += "\n";
   }
 

include/maddy/common.h

@@ -0,0 +1,42 @@
+#pragma once
+
+#include <string>
+
+namespace maddy {
+
+namespace common {
+
+inline std::string escapeHTML(const std::string& input)
+{
+  std::string result;
+
+  for (char c : input)
+  {
+    switch (c)
+    {
+      case '&':
+        result += "&amp;";
+        break;
+      case '<':
+        result += "&lt;";
+        break;
+      case '>':
+        result += "&gt;";
+        break;
+      case '"':
+        result += "&quot;";
+        break;
+      case '\'':
+        result += "&apos;";
+        break;
+      default:
+        result += c;
+    }
+  }
+
+  return result;
+}
+
+} // namespace common
+
+} // namespace maddy

include/maddy/inlinecodeparser.h

@@ -9,6 +9,7 @@
 #include <regex>
 #include <string>
 
+#include "maddy/common.h"
 #include "maddy/lineparser.h"
 
 // -----------------------------------------------------------------------------
@@ -39,9 +40,23 @@ class InlineCodeParser : public LineParser
   void Parse(std::string& line) override
   {
     static std::regex re("`([^`]*)`");
-    static std::string replacement = "<code>$1</code>";
+    std::smatch match;
+    std::string result;
 
-    line = std::regex_replace(line, re, replacement);
+    auto searchStart = line.cbegin();
+
+    while (std::regex_search(searchStart, line.cend(), match, re))
+    {
+      result.append(match.prefix());
+
+      result += "<code>" + common::escapeHTML(match[1].str()) + "</code>";
+
+      searchStart = match.suffix().first;
+    }
+
+    result.append(searchStart, line.cend());
+
+    line = std::move(result);
   }
 }; // class InlineCodeParser
 

include/maddy/parser.h

@@ -394,6 +394,35 @@ class Parser
       }
     );
   }
+
+  static std::string escapeHTML(const std::string& input)
+  {
+    std::string result;
+    for (char c : input)
+    {
+      switch (c)
+      {
+        case '&':
+          result += "&";
+          break;
+        case '<':
+          result += "&lt;";
+          break;
+        case '>':
+          result += "&gt;";
+          break;
+        case '"':
+          result += "&quot;";
+          break;
+        case '\'':
+          result += "&apos;";
+          break;
+        default:
+          result += c;
+      }
+    }
+    return result;
+  }
 }; // class Parser
 
 // -----------------------------------------------------------------------------

tests/maddy/test_maddy_codeblockparser.cpp

@@ -74,3 +74,25 @@ TEST_F(MADDY_CODEBLOCKPARSER, ItShouldUseAnythingBehindFirstBackticksAsClass)
 
   ASSERT_EQ(expected, outputString);
 }
+
+TEST_F(MADDY_CODEBLOCKPARSER, ItProperlyEscapesHTML)
+{
+  std::vector<std::string> markdown = {
+    "```html", "<h1>Hello, World!</h1>", "```"
+  };
+
+  std::string expected =
+    "<pre class=\"html\"><code>\n&lt;h1&gt;Hello, "
+    "World!&lt;/h1&gt;\n</code></pre>";
+
+  for (std::string md : markdown)
+  {
+    cbParser->AddLine(md);
+  }
+  ASSERT_TRUE(cbParser->IsFinished());
+
+  std::stringstream& output(cbParser->GetResult());
+  const std::string& outputString = output.str();
+
+  ASSERT_EQ(expected, outputString);
+}

tests/maddy/test_maddy_inlinecodeparser.cpp

@@ -21,3 +21,17 @@ TEST(MADDY_INLINECODEPARSER, ItReplacesMarkdownWithCodeHTML)
 
   ASSERT_EQ(expected, text);
 }
+
+TEST(MADDY_INLINECODEPARSER, ItProperlyEscapesHTML)
+{
+  std::string text =
+    "some text `<h1>Test</h1>` text testing `<span>it</span>` out";
+  std::string expected =
+    "some text <code>&lt;h1&gt;Test&lt;/h1&gt;</code> text testing "
+    "<code>&lt;span&gt;it&lt;/span&gt;</code> out";
+  auto emphasizedParser = std::make_shared<maddy::InlineCodeParser>();
+
+  emphasizedParser->Parse(text);
+
+  ASSERT_EQ(expected, text);
+}

tests/maddy/test_maddy_parser.h

@@ -76,7 +76,8 @@ const std::string testHtml =
   "<strong>hierarchy</strong><ol><li>and an "
   "<em>ordered</em></li><li>list</li><li>directly</li></ol></li><li>inside</"
   "li></ul></li></ul><pre><code>\nvar c = "
-  "'blub';\n</code></pre><blockquote><p>A Quote  </p><p>With some <s>text</s>  "
+  "&apos;blub&apos;;\n</code></pre><blockquote><p>A Quote  </p><p>With some "
+  "<s>text</s>  "
   "blocks inside  </p><ul><li>even a list </li><li>should be </li><li>possible "
   "</li></ul></blockquote><p>And well <code>inline code</code> should also "
   "work. </p><h2>Another Headline</h2><p>And not to forget <a "
@@ -102,7 +103,8 @@ const std::string testHtml2 =
   "simple. </p><ul><li>an <i>unordered</i> list<ul><li>with some "
   "<strong>hierarchy</strong><ol><li>and an "
   "_ordered_</li><li>list</li><li>directly</li></ol></li><li>inside</li></ul></"
-  "li></ul><pre><code>\nvar c = 'blub';\n</code></pre><blockquote><p>A Quote  "
+  "li></ul><pre><code>\nvar c = "
+  "&apos;blub&apos;;\n</code></pre><blockquote><p>A Quote  "
   "</p><p>With some <s>text</s>  blocks inside  </p><ul><li>even a list "
   "</li><li>should be </li><li>possible </li></ul></blockquote><p>And well "
   "<code>inline code</code> should also work. </p><h2>Another "