From 08389dba3c50c4c6f41625a680df15cb05cc3fd0 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:08:58 +0200
Subject: [PATCH] harden sanitization

---
 lib/marked.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/marked.js b/lib/marked.js
index bd69ca29d0..240c7c16e6 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -434,7 +434,7 @@ Lexer.prototype.token = function(src, top) {
           : 'html',
         pre: !this.options.sanitizer
           && (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'),
-        text: cap[0]
+        text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]
       });
       continue;
     }
@@ -847,7 +847,7 @@ InlineLexer.prototype.output = function(src) {
     if (cap = this.rules.text.exec(src)) {
       src = src.substring(cap[0].length);
       if (this.inRawBlock) {
-        out += this.renderer.text(cap[0]);
+        out += this.renderer.text(this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]);
       } else {
         out += this.renderer.text(escape(this.smartypants(cap[0])));
       }