From f4d1e630f7f27120c3be4320d92cc8b932e78688 Mon Sep 17 00:00:00 2001 From: Oleksii Holub <1935960+Tyrrrz@users.noreply.github.com> Date: Thu, 4 Jun 2026 12:38:09 +0300 Subject: [PATCH] Implement missing HTML encoding for several attribute injections (#1544) --- .../Exporting/HtmlMarkdownVisitor.cs | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs b/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs index 91232948..0104a6d8 100644 --- a/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs +++ b/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs @@ -162,7 +162,7 @@ internal partial class HtmlMarkdownVisitor( ) { var highlightClass = !string.IsNullOrWhiteSpace(multiLineCodeBlock.Language) - ? $"language-{multiLineCodeBlock.Language}" + ? $"language-{HtmlEncode(multiLineCodeBlock.Language)}" : "nohighlight"; buffer.Append( @@ -217,9 +217,11 @@ internal partial class HtmlMarkdownVisitor( {emoji.Name} + alt="{HtmlEncode(emoji.Name)}" + title="{HtmlEncode(emoji.Code)}" + src="{HtmlEncode( + await context.ResolveAssetUrlAsync(emoji.ImageUrl, cancellationToken) + )}"> """ ); } @@ -293,14 +295,8 @@ internal partial class HtmlMarkdownVisitor( var name = role?.Name ?? "deleted-role"; var color = role?.Color; - var style = color is not null - ? $""" - color: rgb({color.Value.R}, {color.Value.G}, {color - .Value - .B}); background-color: rgba({color.Value.R}, {color.Value.G}, {color - .Value - .B}, 0.1); - """ + var style = color is { } c + ? $"color: rgb({c.R}, {c.G}, {c.B}); background-color: rgba({c.R}, {c.G}, {c.B}, 0.1);" : null; buffer.Append(