From bb21400732d6b2d09dd21ac14cd07e7ffb5055da Mon Sep 17 00:00:00 2001
From: Leo Franchi <leo@zulip.com>
Date: Mon, 3 Feb 2014 11:13:40 -0500
Subject: [PATCH] [localecho] Properly escape HTML in code blocks

(imported from commit 11f7e4f440cdd3a2ef6debb10c3d5a07f4fd1a1a)
---
 static/js/echo.js                 |  1 +
 static/js/fenced_code.js          | 10 +++++++++-
 zerver/fixtures/bugdown-data.json | 12 ++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/static/js/echo.js b/static/js/echo.js
index 522a32b1ca..708db064db 100644
--- a/static/js/echo.js
+++ b/static/js/echo.js
@@ -453,6 +453,7 @@ $(function () {
     fenced_code.set_stash_func(function (html) {
         return marked.stashHtml(html, true);
     });
+    fenced_code.set_escape_func(escape);
 
     marked.setOptions({
         gfm: true,
diff --git a/static/js/fenced_code.js b/static/js/fenced_code.js
index 1e7afe20e0..a236a8a5f2 100644
--- a/static/js/fenced_code.js
+++ b/static/js/fenced_code.js
@@ -23,6 +23,10 @@ var stash_func = function (text) {
     return text;
 };
 
+var escape_func = function (text) {
+    return text;
+};
+
 function wrap_code(code) {
     // Trim trailing \n until there's just one left
     // This mirrors how pygments handles code input
@@ -30,7 +34,7 @@ function wrap_code(code) {
     while (code.length > 2 && code.substr(code.length - 2) === '\n\n') {
         code = code.substring(0, code.length - 1);
     }
-    return '<div class="codehilite"><pre>' + code + '</pre></div>\n';
+    return '<div class="codehilite"><pre>' + escape_func(code) + '</pre></div>\n';
 }
 
 function wrap_quote(text) {
@@ -51,6 +55,10 @@ exports.set_stash_func = function (stash_handler) {
     stash_func = stash_handler;
 };
 
+exports.set_escape_func = function (escape) {
+    escape_func = escape;
+};
+
 exports.process_fenced_code = function (content) {
     var input = content.split('\n');
     var output = [];
diff --git a/zerver/fixtures/bugdown-data.json b/zerver/fixtures/bugdown-data.json
index fb945f272d..f11575cd0b 100644
--- a/zerver/fixtures/bugdown-data.json
+++ b/zerver/fixtures/bugdown-data.json
@@ -197,6 +197,18 @@
       "input": ":smile:, :smile:; :smile:",
       "expected_output": "<p><img alt=\":smile:\" class=\"emoji\" src=\"static/third/gemoji/images/emoji/smile.png\" title=\":smile:\">, <img alt=\":smile:\" class=\"emoji\" src=\"static/third/gemoji/images/emoji/smile.png\" title=\":smile:\">; <img alt=\":smile:\" class=\"emoji\" src=\"static/third/gemoji/images/emoji/smile.png\" title=\":smile:\"></p>",
       "bugdown_matches_marked": true
+    },
+    {
+      "name": "safe_html",
+      "input": "<h1>stay normal</h1> thanks",
+      "expected_output": "<p>&lt;h1&gt;stay normal&lt;/h1&gt; thanks</p>",
+      "bugdown_matches_marked": true
+    },
+    {
+      "name": "safe_html_in_code",
+      "input": "~~~\n<h1>stay normal</h1>",
+      "expected_output": "<div class=\"codehilite\"><pre>&lt;h1&gt;stay normal&lt;/h1&gt;\n</pre></div>",
+      "bugdown_matches_marked": true
     }
   ],
   "linkify_tests": [