Fix hljs class parsing (#1174)

2023-06-06 18:43:23 -02:30
parent 273a69258a
commit 80530012b8
1 changed files with 8 additions and 6 deletions
--- a/helpers/parse.js
+++ b/helpers/parse.js
@@ -50,12 +50,14 @@ export const configuredXss = new xss.FilterXSS({
    }

    // For Highlight.JS
-    if (
-      name === 'class' &&
-      ['pre', 'code', 'span'].includes(tag) &&
-      (value.startsWith('hljs-') || value.startsWith('language-'))
-    ) {
-      return name + '="' + xss.escapeAttrValue(value) + '"'
+    if (name === 'class' && ['pre', 'code', 'span'].includes(tag)) {
+      const allowedClasses = []
+      for (const className of value.split(/\s/g)) {
+        if (className.startsWith('hljs-') || className.startsWith('language-')) {
+          allowedClasses.push(className)
+        }
+      }
+      return name + '="' + xss.escapeAttrValue(allowedClasses.join(' ')) + '"'
    }
  },
  safeAttrValue(tag, name, value, cssFilter) {