Fix SyntaxHighlighter::HTML to escape identifier values (#13212)

crystal-lang · Mar 22, 2023 · 2c8e606 · 2c8e606
1 parent 31c17f7
commit 2c8e606
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/spec/std/crystal/syntax_highlighter/html_spec.cr b/spec/std/crystal/syntax_highlighter/html_spec.cr
@@ -73,7 +73,7 @@ describe Crystal::SyntaxHighlighter::HTML do
       == < <= > >= != =~ !~
       & | ^ ~ ** >> << %
     ).each do |op|
-      it_highlights %(def #{op}), %(<span class="k">def</span> <span class="m">#{op}</span>)
+      it_highlights %(def #{op}), %(<span class="k">def</span> <span class="m">#{HTML.escape(op)}</span>)
     end
 
     it_highlights %(def //), %(<span class="k">def</span> <span class="m">/</span><span class="m">/</span>)

diff --git a/src/crystal/syntax_highlighter/html.cr b/src/crystal/syntax_highlighter/html.cr
@@ -52,7 +52,7 @@ class Crystal::SyntaxHighlighter::HTML < Crystal::SyntaxHighlighter
     when .string?
       span "s" { ::HTML.escape(value, @io) }
     when .ident?
-      span "m", &.print value
+      span "m" { ::HTML.escape(value, @io) }
     when .keyword?, .self?
       span "k", &.print value
     when .primitive_literal?