Implement missing HTML encoding for several attribute injections (#1544)

2026-06-08 16:43:11 +00:00 · 2026-06-04 12:38:09 +03:00
parent 799dd1ad81
commit f4d1e630f7
1 changed files with 8 additions and 12 deletions
--- a/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs
+++ b/DiscordChatExporter.Core/Exporting/HtmlMarkdownVisitor.cs
@@ -162,7 +162,7 @@ internal partial class HtmlMarkdownVisitor(
    )
    {
        var highlightClass = !string.IsNullOrWhiteSpace(multiLineCodeBlock.Language)
-            ? $"language-{multiLineCodeBlock.Language}"
+            ? $"language-{HtmlEncode(multiLineCodeBlock.Language)}"
            : "nohighlight";
        buffer.Append(
@@ -217,9 +217,11 @@ internal partial class HtmlMarkdownVisitor(
            <img
                loading="lazy"
                class="chatlog__emoji {jumboClass}"
-                alt="{emoji.Name}"
+                alt="{HtmlEncode(emoji.Name)}"
-                title="{emoji.Code}"
+                title="{HtmlEncode(emoji.Code)}"
-                src="{await context.ResolveAssetUrlAsync(emoji.ImageUrl, cancellationToken)}">
+                src="{HtmlEncode(
                await context.ResolveAssetUrlAsync(emoji.ImageUrl, cancellationToken)
            )}">
            """
        );
    }
@@ -293,14 +295,8 @@ internal partial class HtmlMarkdownVisitor(
            var name = role?.Name ?? "deleted-role";
            var color = role?.Color;
-            var style = color is not null
+            var style = color is { } c
-                ? $"""
+                ? $"color: rgb({c.R}, {c.G}, {c.B}); background-color: rgba({c.R}, {c.G}, {c.B}, 0.1);"
                    color: rgb({color.Value.R}, {color.Value.G}, {color
                        .Value
                        .B}); background-color: rgba({color.Value.R}, {color.Value.G}, {color
                        .Value
                        .B}, 0.1);
                    """
                : null;
            buffer.Append(