Escape normal text in our Redcarpet renderer

421edd35 · Robert Speicher · 588267b5 · 421edd35
Commit 421edd35 authored 9 years ago by Robert Speicher
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
-class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
+require 'active_support/core_ext/string/output_safety'
+class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
  attr_reader :template
  alias_method :h, :template
@@ -21,6 +22,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
  def normal_text(text)
    return text unless text.present?
+    text = ERB::Util.html_escape_once(text)
    text.gsub("'", "&rsquo;")
  end