From f1768054bcdbb2f439e5851e12d0cfd7819adc50 Mon Sep 17 00:00:00 2001 From: John MacFarlane Date: Sat, 10 Jan 2015 15:12:26 -0800 Subject: HTML renderer: Test for characters that need escaping before substituting. --- js/lib/html.js | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/js/lib/html.js b/js/lib/html.js index 37ee903..12a8db9 100644 --- a/js/lib/html.js +++ b/js/lib/html.js @@ -201,7 +201,7 @@ var renderNodes = function(block, options) { } cr(); out(tag('pre') + tag('code', attrs)); - out(this.escape(node.literal)); + out(esc(node.literal)); out(tag('/code') + tag('/pre')); cr(); break; @@ -230,7 +230,7 @@ var renderNodes = function(block, options) { return buffer; }; -var sub = function(s) { +var replaceUnsafeChar = function(s) { switch (s) { case '&': return '&'; @@ -245,6 +245,7 @@ var sub = function(s) { } }; +var reNeedsEscaping = /[&<>"]/; // The HtmlRenderer object. function HtmlRenderer(){ @@ -256,10 +257,14 @@ function HtmlRenderer(){ // set to "
" to make them hard breaks // set to " " if you want to ignore line wrapping in source escape: function(s, preserve_entities) { - if (preserve_entities) { - return s.replace(/[&](?:[#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)|[&<>"]/gi, sub); + if (reNeedsEscaping.test(s)) { + if (preserve_entities) { + return s.replace(/[&](?:[#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)|[&<>"]/gi, replaceUnsafeChar); + } else { + return s.replace(/[&<>"]/g, replaceUnsafeChar); + } } else { - return s.replace(/[&<>"]/g, sub); + return s; } }, render: renderNodes -- cgit v1.2.3