Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: escape curly braces in <code> tags #114

Merged
merged 9 commits into from
Jan 11, 2025
Merged

fix: escape curly braces in <code> tags #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
155d7ee
fix: escape curly braces only inside <code>
leandrocp Jan 9, 2025
c18126d
expose safe_html
leandrocp Jan 9, 2025
90daecb
keyword opts
leandrocp Jan 9, 2025
3f454a6
impr test
leandrocp Jan 9, 2025
9c1ca44
fix double escape + tests
leandrocp Jan 11, 2025
e4c6c21
format
leandrocp Jan 11, 2025
c8c69e2
up examples
leandrocp Jan 11, 2025
1b4c7e0
docs
leandrocp Jan 11, 2025
f6d7a54
escape_tags -> escape_content
leandrocp Jan 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions examples/heex.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ markdown = """

```heex
<%= @hello %>
{ @hello }
```

Elixir was created by José Valim.
Expand Down
1 change: 1 addition & 0 deletions examples/live_view.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ defmodule DemoLive do

```heex
<%= @hello %>
{ @hello }
```

Elixir was created by José Valim.
Expand Down
35 changes: 35 additions & 0 deletions lib/mdex.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -602,4 +602,39 @@ defmodule MDEx do

defp maybe_trim({:ok, result}), do: {:ok, String.trim(result)}
defp maybe_trim(error), do: error

@doc """
Utility function to sanitize and escape HTML.

## Examples

iex> MDEx.safe_html("<script>console.log('attack')</script>")
""

iex> MDEx.safe_html("<h1>{'Example:'}</h1><code>{:ok, 'MDEx'}</code>")
"&lt;h1&gt;{&#x27;Example:&#x27;}&lt;&#x2f;h1&gt;&lt;code&gt;&lbrace;:ok, &#x27;MDEx&#x27;&rbrace;&lt;&#x2f;code&gt;"

iex> MDEx.safe_html("<h1>{'Example:'}</h1><code>{:ok, 'MDEx'}</code>", escape: [content: false])
"<h1>{'Example:'}</h1><code>&lbrace;:ok, 'MDEx'&rbrace;</code>"

## Options

- `:sanitize` - clean HTML using these rules https://docs.rs/ammonia/latest/ammonia/fn.clean.html. Defaults to `true`.
- `:escape` - which entities should be escaped. Defaults to `[:content, :curly_braces_in_code]`.
- `:content` - escape common chars like `<`, `>`, `&`, and others in the HTML content;
- `:curly_braces_in_code` - escape `{` and `}` only inside `<code>` tags, particularly useful for compiling HTML in LiveView;
"""
def safe_html(unsafe_html, opts \\ []) when is_binary(unsafe_html) and is_list(opts) do
sanitize = opt(opts, [:sanitize], true)
escape_content = opt(opts, [:escape, :content], true)
escape_curly_braces_in_code = opt(opts, [:escape, :curly_braces_in_code], true)
Native.safe_html(unsafe_html, sanitize, escape_content, escape_curly_braces_in_code)
end

defp opt(opts, keys, default) do
case get_in(opts, keys) do
nil -> default
val -> val
end
end
end
2 changes: 2 additions & 0 deletions lib/mdex/native.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ defmodule MDEx.Native do
mode: mode,
force_build: System.get_env("MDEX_BUILD") in ["1", "true"]

def safe_html(_unsafe_html, _sanitize, _escape_content, _escape_curly_braces_in_code), do: :erlang.nif_error(:nif_not_loaded)

# markdown
# - to document (parse)
# - to html
Expand Down
Loading
Loading