SONAR-4681 SONAR-5295 Escape HTML before markdown interpolation

2 files changed, 5 insertions, 3 deletions

diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
index c236e15a19f..286e7e58c80 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
@@ -65,7 +65,7 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> {
   private class QuotedLineElementChannel extends RegexChannel<MarkdownOutput> {
 
     protected QuotedLineElementChannel() {
-      super(">\\s[^\r\n]*+");
+      super("&gt;\\s[^\r\n]*+");
     }
 
     @Override
@@ -80,7 +80,8 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> {
 
     private int searchIndexOfFirstCharacter(CharSequence token) {
       for (int index = 0; index < token.length(); index++) {
-        if (token.charAt(index) == '>') {
+        if (token.charAt(index) == '&') {
+          index += 4;
           while (++ index < token.length()) {
             if (token.charAt(index) != ' ') {
               return index;
diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
index 5323a3966d5..3d932c62bc5 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.markdown;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.sonar.channel.ChannelDispatcher;
 import org.sonar.channel.CodeReader;
 
@@ -53,6 +54,6 @@ public final class Markdown {
   }
 
   public static String convertToHtml(String input) {
-    return new Markdown().convert(input);
+    return new Markdown().convert(StringEscapeUtils.escapeHtml(input));
   }
 }