Fix highlight.js XSS / unescaped HTML issue #438
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #437 (Escape the HTML within code blocks)
References: #435 (Fix and improve highlighting with highlight.js)
When package.json was defined in the initial setup,
highlight.js
was not limited to the major version 9.When the time passed by,
highlight.js
published two major release with twice a lot of backend changes which were incompatible with Antora. The crucial upgrade from v9 to v10 was made on 20 Dec 2020 with PR: ([Security] Bump highlight.js from 9.18.1 to 10.4.1). As there was no upgrade limitation set in package.json, CI reported a go and no other obstacles were known at the time of reading, the PR got merged.Note that it is a good advice to regulary check the Antora Default UI for changes...
Funnily nobody identified the XSS / unescaped HTML issue which was printed in the browsers console...
With a discussion in the Antora channel Escape content in source block, it turned out which issue we have and that we have to revert to highlight.js v9 AND avoid any upgrade for the time being.
This PR:
Note that the comments written are intentionally to avoid an accidentially update of highlight.js.
@jnweiger fyi (as discussed)