Escape normal text in our Redcarpet renderer

author: Robert Speicher <rspeicher@gmail.com> 2015-04-28 05:09:00 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2015-04-30 23:35:26 +0300
commit: 421edd35454103e3ed927de72d23a38bee1f97d3 (patch)
tree: 4752112fe50dde5f7603fddaa60cc1d51bfc147e /lib/redcarpet
parent: 588267b5e27238cdf406f248db7cc83b9b0881c8 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb
index 321be9202cc..5a87b230579 100644
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
@@ -1,5 +1,6 @@
-class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
+require 'active_support/core_ext/string/output_safety'
 
+class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   attr_reader :template
   alias_method :h, :template
 
@@ -21,6 +22,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   def normal_text(text)
     return text unless text.present?
 
+    text = ERB::Util.html_escape_once(text)
     text.gsub("'", "&rsquo;")
   end
author	Robert Speicher <rspeicher@gmail.com>	2015-04-28 05:09:00 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2015-04-30 23:35:26 +0300
commit	421edd35454103e3ed927de72d23a38bee1f97d3 (patch)
tree	4752112fe50dde5f7603fddaa60cc1d51bfc147e /lib/redcarpet
parent	588267b5e27238cdf406f248db7cc83b9b0881c8 (diff)