Commits

Tatham Oddie committed 839307d

Fixed some missed HTML encoding.

Comments (0)

Files changed (2)

Web.Test/Controllers/AnalysisControllerTests.cs

         }
 
         [TestMethod]
+        public void AnalysisController_RenderExpressionAsHtml_ShouldEncodeDataBeforeBetweenAfterAndWithinNodes()
+        {
+            // Arrange
+            var nodes = new ExpressionNode("<<<<<", 0, new Node[]
+            {
+                new LiteralNode("<", 1) { NodeId = 1 },
+                new LiteralNode("<", 3) { NodeId = 2 }
+            });
+
+            // Act
+            var result = AnalysisController.RenderExpressionAsHtml(nodes).ToHtmlString();
+
+            // Assert
+            Assert.AreEqual("&lt;<span class=\"ast-node ast-node-1\">&lt;</span>&lt;<span class=\"ast-node ast-node-2\">&lt;</span>&lt;", result);
+        }
+
+        [TestMethod]
         public void AnalysisController_RenderExpressionAsHtml_ShouldRenderSequentialFlatNodes()
         {
             // Arrange

Web/Controllers/AnalysisController.cs

 
                 var charactersBeforeThisFirstNode = parentNode.Data.Substring(0, currentNode.StartIndex - parentNode.StartIndex);
 
-                markupBuilder.Append(charactersBeforeThisFirstNode);
+                markupBuilder.Append(HttpUtility.HtmlEncode(charactersBeforeThisFirstNode));
             }
             else
             {
 
                 var charactersBetweenPreviousAndCurrentNode = parentNode.Data.Substring(endIndexOfPreviousNodeAtThisLevel, numberOfCharactersBetweenPreviousAndCurrentNode);
 
-                markupBuilder.Append(charactersBetweenPreviousAndCurrentNode);
+                markupBuilder.Append(HttpUtility.HtmlEncode(charactersBetweenPreviousAndCurrentNode));
             }
         }
 
 
             var remainingCharacters = parentNode.Data.Substring(endIndexOfCurrentNode - parentNode.StartIndex, numberOfRemainingCharacters);
 
-            markupBuilder.Append(remainingCharacters);
+            markupBuilder.Append(HttpUtility.HtmlEncode(remainingCharacters));
         }
 
         static IHtmlString RenderNodesAsHtml(IEnumerable<Node> nodes)