From 191538be6fdc64eadd050c052bc9f7db2922f97d Mon Sep 17 00:00:00 2001
From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
Date: Tue, 10 Dec 2024 10:39:41 -0800
Subject: [PATCH] [CVE-2024-51735/GHSA-wvv7-wm5v-w2gv] Fix XSS In Markdown
 Resolver

---
 core/markdown.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/markdown.go b/core/markdown.go
index e32bde0..f489456 100644
--- a/core/markdown.go
+++ b/core/markdown.go
@@ -2,6 +2,7 @@ package core
 
 import (
 	"path"
+	"text/template"
 
 	"fmt"
 	"os"
@@ -111,6 +112,7 @@ func (r *Runner) ResolveContentSrc(tag string) string {
 		}
 
 		if strings.Contains(tag, "shorten=true") || len(fileContent) > r.Opt.MDCodeBlockLimit {
+			fileContent = template.HTMLEscapeString(fileContent) // sanitize file content to prevent XSS
 			return extendTag(fileContent)
 		}