HTML entities
finnp opened this issue · comments
RIght now, marked is escaping < " ' >
before the renderer to HTML entities. (See https://github.com/chjj/marked/blob/7be419324986c7a37c8d3e2fd580e925e236db52/lib/marked.js#L1076). So when I write Let's start
I get Let's stat
.
I consider this being a bug in marked, however I am not sure wether marked will have this fixed, because it could create security vulnerabilities in people using their own HTML Renderer.
Maybe one could just re-replace them with their original values. That would cause problems in codespans however, since people might write something like:
The `'` tag is used for quotes
However code blocks would be saved, since marked is not doing replacements there. So maybe it would be okay?
I see. I'll implement an "unescape" function for entities, and add some tests to see if we can solve this.
This is harder than first thought. As codespan
is wrapped in for instance a paragraph
, and the escaping happens some where in between there is no good/easy way of preserving when doing. '
.
I think, if we have to choose between the two, it's better to unescape all. Let me know what you think, @finnp
Yeah I think maybe unescaping should be an option that is true on default, but can be turned off. That still doesn't cover mixed cases though.
Another possibility might be, too replace '
within a codespan with something unlikely like [[[[[']]]]]
and then in the end remove those occurances. However I think that might be a little bit too complicated for this issue, since probably there won't be many people affected by those things within the codespans.
I already tried doing the approach you're describing, didn't work too well as the ampersand in '
was replaced by &
.
I think I'm just going to do this the straight forward way. I don't really think it would be necessary with a setting, but I'll add it just to be safe.
👍