Fix markdown escaping wrongly passing html through (#28363)

* Fix markdown escaping wrongly passing html through

Signed-off-by: Michael Telatynski <[email protected]>

* Add comment

Signed-off-by: Michael Telatynski <[email protected]>

---------

Signed-off-by: Michael Telatynski <[email protected]>

Author: t3chguy

src/Markdown.ts

@@ -383,6 +383,9 @@ export default class Markdown {
             if (isMultiLine(node) && node.next) this.lit("\n\n");
         };
 
-        return renderer.render(this.parsed);
+        // We inhibit the default escape function as we escape the entire output string to correctly handle backslashes
+        renderer.esc = (input: string) => input;
+
+        return escape(renderer.render(this.parsed));
     }
 }

test/unit-tests/editor/serialize-test.ts

@@ -9,7 +9,7 @@ Please see LICENSE files in the repository root for full details.
 import { mocked } from "jest-mock";
 
 import EditorModel from "../../../src/editor/model";
-import { htmlSerializeIfNeeded } from "../../../src/editor/serialize";
+import { htmlSerializeFromMdIfNeeded, htmlSerializeIfNeeded } from "../../../src/editor/serialize";
 import { createPartCreator } from "./mock";
 import { IConfigOptions } from "../../../src/IConfigOptions";
 import SettingsStore from "../../../src/settings/SettingsStore";
@@ -71,6 +71,12 @@ describe("editor/serialize", function () {
             const html = htmlSerializeIfNeeded(model, {});
             expect(html).toBe("*hello* world");
         });
+        it("escaped markdown should not retain backslashes around other markdown", function () {
+            const pc = createPartCreator();
+            const model = new EditorModel([pc.plain("\\*hello\\* **world**")], pc);
+            const html = htmlSerializeIfNeeded(model, {});
+            expect(html).toBe("*hello* <strong>world</strong>");
+        });
         it("escaped markdown should convert HTML entities", function () {
             const pc = createPartCreator();
             const model = new EditorModel([pc.plain("\\*hello\\* world < hey world!")], pc);
@@ -153,6 +159,14 @@ describe("editor/serialize", function () {
             const html = htmlSerializeIfNeeded(model, { forceHTML: true, useMarkdown: false });
             expect(html).toBe("hello world");
         });
+        it("should treat tags not in allowlist as plaintext", () => {
+            const html = htmlSerializeFromMdIfNeeded("<b>test</b>", {});
+            expect(html).toBeUndefined();
+        });
+        it("should treat tags not in allowlist as plaintext even if escaped", () => {
+            const html = htmlSerializeFromMdIfNeeded("\\<b>test</b>", {});
+            expect(html).toBe("&lt;b&gt;test&lt;/b&gt;");
+        });
     });
 
     describe("feature_latex_maths", () => {