From c68d9311009292a11375d555a8abcfc46227a2be Mon Sep 17 00:00:00 2001
From: Niklas Fasching <niklas.fasching@gmail.com>
Date: Tue, 31 Mar 2020 16:28:01 +0200
Subject: [PATCH] html: Fix example blocks - escape html

While example blocks do not render inline markup and are thus parsed raw in
some way, their contents are not literal html and thus still need to be html
escaped.
---
 org/html_writer.go             | 2 +-
 org/testdata/blocks.html       | 4 +++-
 org/testdata/blocks.org        | 2 ++
 org/testdata/blocks.pretty_org | 2 ++
 org/testdata/misc.html         | 2 +-
 5 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/org/html_writer.go b/org/html_writer.go
index 0c830de..731f7db 100644
--- a/org/html_writer.go
+++ b/org/html_writer.go
@@ -123,7 +123,7 @@ func (w *HTMLWriter) WriteBlock(b Block) {
 		content = w.HighlightCodeBlock(content, lang)
 		w.WriteString(fmt.Sprintf("<div class=\"src src-%s\">\n%s\n</div>\n", lang, content))
 	case name == "EXAMPLE":
-		w.WriteString(`<pre class="example">` + "\n" + content + "\n</pre>\n")
+		w.WriteString(`<pre class="example">` + "\n" + html.EscapeString(content) + "\n</pre>\n")
 	case name == "EXPORT" && len(b.Parameters) >= 1 && strings.ToLower(b.Parameters[0]) == "html":
 		w.WriteString(content + "\n")
 	case name == "QUOTE":
diff --git a/org/testdata/blocks.html b/org/testdata/blocks.html
index a470343..a4da06a 100644
--- a/org/testdata/blocks.html
+++ b/org/testdata/blocks.html
@@ -32,9 +32,11 @@ empty lines!
 
 it also has multiple parameters
 
-src, example & export blocks treat their content as raw text
+src, example &amp; export blocks treat their content as raw text
 /inline/ *markup* is ignored
       and whitespace is honored and not removed
+
+content of example blocks is still html escaped - see &lt;script&gt;alert(&#34;escaped&#34;)&lt;/script&gt;
 </pre>
 <pre class="example">
 examples like this
diff --git a/org/testdata/blocks.org b/org/testdata/blocks.org
index 44d93e5..3990008 100644
--- a/org/testdata/blocks.org
+++ b/org/testdata/blocks.org
@@ -25,6 +25,8 @@ it also has multiple parameters
 src, example & export blocks treat their content as raw text
 /inline/ *markup* is ignored
       and whitespace is honored and not removed
+
+content of example blocks is still html escaped - see <script>alert("escaped")</script>
 #+END_EXAMPLE
 
 : examples like this
diff --git a/org/testdata/blocks.pretty_org b/org/testdata/blocks.pretty_org
index 239890c..355ed29 100644
--- a/org/testdata/blocks.pretty_org
+++ b/org/testdata/blocks.pretty_org
@@ -25,6 +25,8 @@ it also has multiple parameters
 src, example & export blocks treat their content as raw text
 /inline/ *markup* is ignored
       and whitespace is honored and not removed
+
+content of example blocks is still html escaped - see <script>alert("escaped")</script>
 #+END_EXAMPLE
 
 : examples like this
diff --git a/org/testdata/misc.html b/org/testdata/misc.html
index 242bf7c..3e76471 100644
--- a/org/testdata/misc.html
+++ b/org/testdata/misc.html
@@ -200,7 +200,7 @@ example block
 </p>
 <pre class="example">
 language: go
-go: "1.x"
+go: &#34;1.x&#34;
 script:
   - make test
   - make generate-gh-pages