From a4d6e1f92c23b99dd0189627e54eb10352dc0f7f Mon Sep 17 00:00:00 2001 From: n1474335 Date: Thu, 23 Mar 2023 12:42:22 +0000 Subject: [PATCH] TextNode characters are re-escaped in htmlWidgets now. Fixes #1533 --- src/web/utils/htmlWidget.mjs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/web/utils/htmlWidget.mjs b/src/web/utils/htmlWidget.mjs index 3480093331..642cd7e152 100644 --- a/src/web/utils/htmlWidget.mjs +++ b/src/web/utils/htmlWidget.mjs @@ -7,6 +7,7 @@ import {WidgetType, Decoration, ViewPlugin} from "@codemirror/view"; import {escapeControlChars} from "./editorUtils.mjs"; import {htmlCopyOverride} from "./copyOverride.mjs"; +import Utils from "../../core/Utils.mjs"; /** @@ -64,7 +65,11 @@ class HTMLWidget extends WidgetType { * @param {DOMNode} textNode */ replaceControlChars(textNode) { - const val = escapeControlChars(textNode.nodeValue, true, this.view.state.lineBreak); + // .nodeValue unencodes HTML encoding such as < to "<" + // We must remember to escape any potential HTML in TextNodes as we do not + // want to render it. + const textValue = Utils.escapeHtml(textNode.nodeValue); + const val = escapeControlChars(textValue, true, this.view.state.lineBreak); if (val.length !== textNode.nodeValue.length) { const node = document.createElement("span"); node.innerHTML = val;