Implement missing HTML encoding for several attribute injections by Tyrrrz · Pull Request #1544 · Tyrrrz/DiscordChatExporter (original) (raw)
AI review requested due to automatic review settings
arandomhooman added a commit to arandomhooman/DiscordChatExporter that referenced this pull request
…m #1544)
Upstream Tyrrrz/DiscordChatExporter#1544 added missing HTML encoding for several attribute injections. The fork's earlier audit already encoded the emoji alt/title/src and mention names (and sanitizes asset/link URLs), so the only remaining gap was the code block language interpolated into the highlight class.
Defense-in-depth: the markdown parser currently restricts the language token to \w* (MarkdownParser.cs), so it is not reachable with injectable characters via the normal parse path, but encoding matches upstream and guards against direct node construction or a future parser change. No regression test added: a test routed through HtmlMarkdownVisitor.FormatAsync would pass without the fix (the parser strips the payload first), so it would not actually exercise the change; upstream #1544 likewise shipped without a test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})