HTML renderer: Test for characters that need escaping before substituting.

1 files changed, 10 insertions, 5 deletions

diff --git a/js/lib/html.js b/js/lib/html.js
index 37ee903..12a8db9 100644
--- a/js/lib/html.js
+++ b/js/lib/html.js
@@ -201,7 +201,7 @@ var renderNodes = function(block, options) {
             }
             cr();
             out(tag('pre') + tag('code', attrs));
-            out(this.escape(node.literal));
+            out(esc(node.literal));
             out(tag('/code') + tag('/pre'));
             cr();
             break;
@@ -230,7 +230,7 @@ var renderNodes = function(block, options) {
     return buffer;
 };
 
-var sub = function(s) {
+var replaceUnsafeChar = function(s) {
     switch (s) {
     case '&':
         return '&';
@@ -245,6 +245,7 @@ var sub = function(s) {
     }
 };
 
+var reNeedsEscaping = /[&<>"]/;
 
 // The HtmlRenderer object.
 function HtmlRenderer(){
@@ -256,10 +257,14 @@ function HtmlRenderer(){
         // set to "<br />" to make them hard breaks
         // set to " " if you want to ignore line wrapping in source
         escape: function(s, preserve_entities) {
-            if (preserve_entities) {
-                return s.replace(/[&](?:[#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)|[&<>"]/gi, sub);
+            if (reNeedsEscaping.test(s)) {
+                if (preserve_entities) {
+                    return s.replace(/[&](?:[#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)|[&<>"]/gi, replaceUnsafeChar);
+                } else {
+                    return s.replace(/[&<>"]/g, replaceUnsafeChar);
+                }
             } else {
-                return s.replace(/[&<>"]/g, sub);
+                return s;
             }
         },
         render: renderNodes