Skip to content

Commit ce28173

Browse files
Refactor HTML rendering in index.ts to escape script and style tags, ensuring code examples are displayed correctly without execution. This enhances the safety and visibility of rendered content.
1 parent 27d79c6 commit ce28173

1 file changed

Lines changed: 10 additions & 3 deletions

File tree

src/index.ts

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -629,10 +629,17 @@ export function renderHtmlDocument(markdown: string, title: string, source: stri
629629
return self.renderToken(tokens, idx, opts)
630630
}
631631

632-
// Strip any stray script tags to avoid runtime fetches/404s in exported HTML.
633-
const safeMarkdown = markdown.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
632+
// Escape script/style tags so code examples render visibly without executing or being stripped.
633+
const escapeExecutableTags = (html: string): string =>
634+
html
635+
.replace(/<script/gi, '&lt;script')
636+
.replace(/<\/script>/gi, '&lt;/script&gt;')
637+
.replace(/<style/gi, '&lt;style')
638+
.replace(/<\/style>/gi, '&lt;/style&gt;')
639+
640+
const safeMarkdown = escapeExecutableTags(markdown)
634641
const rendered = md.render(safeMarkdown)
635-
const body = rendered.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
642+
const body = escapeExecutableTags(rendered)
636643
const safeTitle = escapeHtml(stripProviderPrefix(title))
637644
const safeSource = escapeHtml(source)
638645
const safeRetrieved = escapeHtml(retrieved)

0 commit comments

Comments
 (0)