diff options
author | Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> | 2014-05-12 18:43:58 +0200 |
---|---|---|
committer | Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> | 2014-05-12 18:44:06 +0200 |
commit | 1f906357067c5256314d6c899e76c86f60f7f559 (patch) | |
tree | 2723c0e6625bf1adefd69af127a444d4e6984090 /sonar-markdown | |
parent | f59a579d18a7dc338c9adab23806019b14ac5c27 (diff) | |
download | sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.tar.gz sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.zip |
SONAR-4681 SONAR-5295 Escape HTML before markdown interpolation
Diffstat (limited to 'sonar-markdown')
4 files changed, 13 insertions, 5 deletions
diff --git a/sonar-markdown/pom.xml b/sonar-markdown/pom.xml index 49f615bd35b..d28e9542fbd 100644 --- a/sonar-markdown/pom.xml +++ b/sonar-markdown/pom.xml @@ -19,6 +19,10 @@ <artifactId>sonar-channel</artifactId> </dependency> <dependency> + <groupId>commons-lang</groupId> + <artifactId>commons-lang</artifactId> + </dependency> + <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> </dependency> diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java index c236e15a19f..286e7e58c80 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java @@ -65,7 +65,7 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> { private class QuotedLineElementChannel extends RegexChannel<MarkdownOutput> { protected QuotedLineElementChannel() { - super(">\\s[^\r\n]*+"); + super(">\\s[^\r\n]*+"); } @Override @@ -80,7 +80,8 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> { private int searchIndexOfFirstCharacter(CharSequence token) { for (int index = 0; index < token.length(); index++) { - if (token.charAt(index) == '>') { + if (token.charAt(index) == '&') { + index += 4; while (++ index < token.length()) { if (token.charAt(index) != ' ') { return index; diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java index 5323a3966d5..3d932c62bc5 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java @@ -19,6 +19,7 @@ */ package org.sonar.markdown; +import org.apache.commons.lang.StringEscapeUtils; import org.sonar.channel.ChannelDispatcher; import org.sonar.channel.CodeReader; @@ -53,6 +54,6 @@ public final class Markdown { } public static String convertToHtml(String input) { - return new Markdown().convert(input); + return new Markdown().convert(StringEscapeUtils.escapeHtml(input)); } } diff --git a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java index 909fda8c539..462bee37175 100644 --- a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java +++ b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java @@ -67,8 +67,10 @@ public class MarkdownTest { @Test public void shouldDecorateBlockquote() { - assertThat(Markdown.convertToHtml("> Yesterday it worked\n> Today it is not working\r\n> Software is like that\r")) - .isEqualTo("<blockquote>Yesterday it worked<br/>\nToday it is not working<br/>\r\nSoftware is like that<br/>\r</blockquote>"); + assertThat(Markdown.convertToHtml("> Yesterday <br/> it worked\n> Today it is not working\r\n> Software is like that\r")) + .isEqualTo("<blockquote>Yesterday <br/> it worked<br/>\nToday it is not working<br/>\r\nSoftware is like that<br/>\r</blockquote>"); + assertThat(Markdown.convertToHtml("HTML elements should <em>not</em> be quoted!")) + .isEqualTo("HTML elements should <em>not</em> be quoted!"); } @Test |