Skip to content

Commit d7c3453

Browse files
AnteruAnteru
authored
Merge pull request #3071 from pygments/harden-html-formatter
Harden the HTML formatter against CSS.
2 parents 9f981b2 + 0f97e7c commit d7c3453

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

pygments/formatters/html.py

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
from pygments.token import Token, Text, STANDARD_TYPES
1919
from pygments.util import get_bool_opt, get_int_opt, get_list_opt
2020

21+
import html
22+
2123
try:
2224
import ctags
2325
except ImportError:
@@ -422,14 +424,14 @@ def __init__(self, **options):
422424
self.nowrap = get_bool_opt(options, 'nowrap', False)
423425
self.noclasses = get_bool_opt(options, 'noclasses', False)
424426
self.classprefix = options.get('classprefix', '')
425-
self.cssclass = self._decodeifneeded(options.get('cssclass', 'highlight'))
426-
self.cssstyles = self._decodeifneeded(options.get('cssstyles', ''))
427+
self.cssclass = html.escape(self._decodeifneeded(options.get('cssclass', 'highlight')))
428+
self.cssstyles = html.escape(self._decodeifneeded(options.get('cssstyles', '')))
427429
self.prestyles = self._decodeifneeded(options.get('prestyles', ''))
428430
self.cssfile = self._decodeifneeded(options.get('cssfile', ''))
429431
self.noclobber_cssfile = get_bool_opt(options, 'noclobber_cssfile', False)
430432
self.tagsfile = self._decodeifneeded(options.get('tagsfile', ''))
431433
self.tagurlformat = self._decodeifneeded(options.get('tagurlformat', ''))
432-
self.filename = self._decodeifneeded(options.get('filename', ''))
434+
self.filename = html.escape(self._decodeifneeded(options.get('filename', '')))
433435
self.wrapcode = get_bool_opt(options, 'wrapcode', False)
434436
self.span_element_openers = {}
435437
self.debug_token_types = get_bool_opt(options, 'debug_token_types', False)
@@ -452,9 +454,9 @@ def __init__(self, **options):
452454
self.linenostep = abs(get_int_opt(options, 'linenostep', 1))
453455
self.linenospecial = abs(get_int_opt(options, 'linenospecial', 0))
454456
self.nobackground = get_bool_opt(options, 'nobackground', False)
455-
self.lineseparator = options.get('lineseparator', '\n')
456-
self.lineanchors = options.get('lineanchors', '')
457-
self.linespans = options.get('linespans', '')
457+
self.lineseparator = html.escape(options.get('lineseparator', '\n'))
458+
self.lineanchors = html.escape(options.get('lineanchors', ''))
459+
self.linespans = html.escape(options.get('linespans', ''))
458460
self.anchorlinenos = get_bool_opt(options, 'anchorlinenos', False)
459461
self.hl_lines = set()
460462
for lineno in get_list_opt(options, 'hl_lines', []):

0 commit comments

Comments
 (0)