harden sanitization

markedjs · Jun 26, 2019 · 08389db · 08389db
1 parent 6b4d792
commit 08389db
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/marked.js b/lib/marked.js
@@ -434,7 +434,7 @@ Lexer.prototype.token = function(src, top) {
           : 'html',
         pre: !this.options.sanitizer
           && (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'),
-        text: cap[0]
+        text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]
       });
       continue;
     }
@@ -847,7 +847,7 @@ InlineLexer.prototype.output = function(src) {
     if (cap = this.rules.text.exec(src)) {
       src = src.substring(cap[0].length);
       if (this.inRawBlock) {
-        out += this.renderer.text(cap[0]);
+        out += this.renderer.text(this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]);
       } else {
         out += this.renderer.text(escape(this.smartypants(cap[0])));
       }