Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way to proper hightlight HTML code (including CSS and JS) ?? #2884

Closed
Neohiro79 opened this issue Nov 21, 2020 · 7 comments
Closed

Is there a way to proper hightlight HTML code (including CSS and JS) ?? #2884

Neohiro79 opened this issue Nov 21, 2020 · 7 comments
Labels
bug help welcome Could use help from community language

Comments

@Neohiro79
Copy link

Here is the Fiddle in question:

http://jsfiddle.net/neohiro79/zbfdhxjy/8/

Or am I missing some important script or setting?
@Neohiro79 Neohiro79 added bug help welcome Could use help from community language labels Nov 21, 2020
@joshgoebel
Copy link
Member

joshgoebel commented Nov 21, 2020
edited
Loading

First none of that will work until your properly escape your HTML. Otherwise it’s just HTML not code to be highlighted. There’s nothing magic about putting HTML inside pre or code. It still needs to be escaped.

https://www.freeformatter.com/html-escape.html

If you do that and then use the XML language to highlight the code block it should color script with JavaScript and CSS with CSS automatically.

@Neohiro79
Copy link
Author

Thanks for the quick reply.

So in consequence I'll better stick with Rainbow.js who finally WORKS as expected from startup:

https://jsfiddle.net/neohiro79/zbfdhxjy/9/

@joshgoebel
Copy link
Member

joshgoebel commented Nov 21, 2020
edited
Loading

That is a VERY bad idea and easy to shoot yourself in the foot (even if you control the code 100%). And if you don't 100% control the code you've just opened up your site to all sorts of evil exploits.

https://jsfiddle.net/ajoshguy/dx73h1rc/

Here I am injecting JS into your page because you aren't doing proper escaping. All that Javascript code is being parsed and executed! That's bad.

@Neohiro79 Neohiro79 mentioned this issue Nov 21, 2020
Closed
@joshgoebel joshgoebel mentioned this issue Nov 21, 2020
Closed
@joshgoebel
Copy link
Member

I filed an issue: ccampbell/rainbow#249

@joshgoebel
Copy link
Member

joshgoebel commented Nov 21, 2020
edited
Loading

A properly escape snippet works. The comment will be highligted as an HTML comment.

<pre><code class="lang-xml">
&lt;!-- this is a html comment --&gt;
</code>
</pre>

And just to show it works (HTML, CSS, JS all highlighted) when you escape the code properly:

https://jsfiddle.net/ajoshguy/2pyhud8z/

Closing as asked and answered. :-) I'd really recommend you read up on JS and HTML injection attacks.

@joshgoebel
Copy link
Member

@Neohiro79 Once we get to v11 and dump the "you can include HTML" feature (requiring a plugin-in) I'll probably make changes to show an error message with a link to "educate" people when they try and include raw HTML like you were doing... so instead of just not working it'll send someone off to read and learn about WHY they need to properly escape their code.

Sadly we can't do this now since we allow HTML (for "clever uses") and it's impossible to know the users intention. Were they including HTML on accident or on purpose... changing how this works would be a breaking change so something we'll have to push off until v11.

@joshgoebel joshgoebel mentioned this issue Nov 22, 2020
Closed
@Neohiro79
Copy link
Author

I think, that's a good idea, since it will give me at least a hint what potentially went wrong ... ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help welcome Could use help from community language
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshgoebel @Neohiro79