From dd5bf40b97d42daae855cd05ac13c6efa6cda4f6 Mon Sep 17 00:00:00 2001
From: Thibaut Girka <thib@sitedethib.com>
Date: Fri, 17 May 2019 10:43:17 +0200
Subject: [PATCH] Properly escape HTML in code blocks

---
 app/lib/formatter.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index 2c509ef19f..ccebf4353f 100644
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -5,13 +5,23 @@ require_relative './sanitize_config'
 
 class HTMLRenderer < Redcarpet::Render::HTML
   def block_code(code, language)
-    "<pre><code>#{code.gsub("\n", "<br/>")}</code></pre>"
+    "<pre><code>#{encode(code).gsub("\n", "<br/>")}</code></pre>"
   end
 
   def autolink(link, link_type)
     return link if link_type == :email
     Formatter.instance.link_url(link)
   end
+
+  private
+
+  def html_entities
+    @html_entities ||= HTMLEntities.new
+  end
+
+  def encode(html)
+    html_entities.encode(html)
+  end
 end
 
 class Formatter