From b433939ca8e72e9e8d763f257606738f0a51f8f8 Mon Sep 17 00:00:00 2001
From: Le Tan <tamlokveer@gmail.com>
Date: Mon, 28 May 2018 20:35:59 +0800
Subject: [PATCH] bug-fix: escape HTML meta characters in title

---
 src/resources/marked.js                          | 5 +++--
 src/resources/showdown.js                        | 2 +-
 src/resources/themes/v_moonlight/v_moonlight.css | 1 -
 src/resources/themes/v_native/v_native.css       | 1 -
 src/resources/themes/v_pure/v_pure.css           | 1 -
 5 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/resources/marked.js b/src/resources/marked.js
index d03c49fb..ab4bdeb4 100644
--- a/src/resources/marked.js
+++ b/src/resources/marked.js
@@ -5,12 +5,13 @@ var nameCounter = 0;
 renderer.heading = function(text, level) {
     // Use number to avoid issues with Chinese
     var escapedText = 'toc_' + nameCounter++;
+    var textHtml = escapeHtml(text);
     toc.push({
         level: level,
         anchor: escapedText,
-        title: text
+        title: textHtml
     });
-    return '<h' + level + ' id="' + escapedText + '">' + text + '</h' + level + '>';
+    return '<h' + level + ' id="' + escapedText + '">' + textHtml + '</h' + level + '>';
 };
 
 // Highlight.js to highlight code block
diff --git a/src/resources/showdown.js b/src/resources/showdown.js
index e95ae9f1..ed1e85ed 100644
--- a/src/resources/showdown.js
+++ b/src/resources/showdown.js
@@ -23,7 +23,7 @@ var parseHeadings = function(html) {
         toc.push({
             level: level,
             anchor: ele.id,
-            title: ele.innerHTML
+            title: escapeHtml(ele.textContent)
         });
     }
 
diff --git a/src/resources/themes/v_moonlight/v_moonlight.css b/src/resources/themes/v_moonlight/v_moonlight.css
index 90d3f2e1..5bc268d9 100644
--- a/src/resources/themes/v_moonlight/v_moonlight.css
+++ b/src/resources/themes/v_moonlight/v_moonlight.css
@@ -89,7 +89,6 @@ pre {
 
 code {
     font-family: Consolas, Monaco, Monospace, Courier;
-    font-size: 16px;
     color: #98C379;
     word-break: break-all;
 }
diff --git a/src/resources/themes/v_native/v_native.css b/src/resources/themes/v_native/v_native.css
index 3a71592d..8b40ddee 100644
--- a/src/resources/themes/v_native/v_native.css
+++ b/src/resources/themes/v_native/v_native.css
@@ -89,7 +89,6 @@ pre {
 
 code {
     font-family: Consolas, Monaco, Monospace, Courier;
-    font-size: 16px;
     color: #8E24AA;
     word-break: break-all;
 }
diff --git a/src/resources/themes/v_pure/v_pure.css b/src/resources/themes/v_pure/v_pure.css
index 0c8221a3..311fe424 100644
--- a/src/resources/themes/v_pure/v_pure.css
+++ b/src/resources/themes/v_pure/v_pure.css
@@ -90,7 +90,6 @@ pre {
 
 code {
     font-family: Consolas, Monaco, Monospace, Courier;
-    font-size: 16px;
     color: #8E24AA;
     word-break: break-all;
 }