Fix root cause of XSS in autolinker plugin #1054

PrismJS · Nov 9, 2016 · d8c6062 · d8c6062
1 parent 716bb85
commit d8c6062
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/components/prism-core.js b/components/prism-core.js
@@ -446,7 +446,7 @@ Token.stringify = function(o, language, parent) {
 	_.hooks.run('wrap', env);
 
 	var attributes = Object.keys(env.attributes).map(function(name) {
-		return name + '="' + (env.attributes[name] || '') + '"';
+		return name + '="' + (env.attributes[name] || '').replace(/"/g, '&quot;') + '"';
 	}).join(' ');
 
 	return '<' + env.tag + ' class="' + env.classes.join(' ') + '"' + (attributes ? ' ' + attributes : '') + '>' + env.content + '</' + env.tag + '>';

diff --git a/components/prism-core.min.js b/components/prism-core.min.js
diff --git a/prism.js b/prism.js
@@ -451,7 +451,7 @@ Token.stringify = function(o, language, parent) {
 	_.hooks.run('wrap', env);
 
 	var attributes = Object.keys(env.attributes).map(function(name) {
-		return name + '="' + (env.attributes[name] || '') + '"';
+		return name + '="' + (env.attributes[name] || '').replace(/"/g, '&quot;') + '"';
 	}).join(' ');
 
 	return '<' + env.tag + ' class="' + env.classes.join(' ') + '"' + (attributes ? ' ' + attributes : '') + '>' + env.content + '</' + env.tag + '>';