Skip to content
Taufik Nurrohman edited this page Feb 26, 2022 · 1 revision

"One of your code blocks includes unescaped HTML" (XSS attack vector)

This is the landing page Highlight.js links to when it detects a potential XSS attack vector. In your web console you'll see:

One of your code blocks includes unescaped HTML. This is a potentially serious security risk.

https://github.com/highlightjs/highlight.js/wiki/security

[<HTML element in question>]

Unescaped HTML

This warning indicates that a code block on your page contains unescaped HTML:

<pre><code class="language-html">
  <h1>This is a header</h1>
</code></pre>

See the h1 tags above. This is not correct.

Actual HTML code (that you're trying to highlight) inside code blocks should be properly escaped:

<pre><code class="lang-html">
  &lt;h1&gt;This is a header&lt;/h1&gt;
</code></pre>

Here the < and > have been replaced with their HTML safe equivalents.

Reference:

FAQ

Why is this Bad?

Unescaped HTML can lead to security vulnerabilities in the form of XSS attacks - someone sneaking their HTML (or JavaScript) inside your own - and then doing who knows what manner of mischief.

How can I fix my site to avoid the warning?

Remove all unescaped HTML from all your pre/code blocks.

Can I disable the warning?

Yes, our documentation explains how - but this is not something most users should do - and if there is a legitimate security vulnerability just turning off the warning doesn't resolve the vulnerability.

What if I really, really want to mix real HTML with my highlighted code?

We won't support this in Core. Actual (intentional) HTML inside of code blocks (which is valid in the HTML spec) is simply not something we support because far too easy to shoot yourself in the foot with it. This type of support (for the small number who need it) can easily be added via a plugin. If someone is willing to bring the old HTML merge plugin up-to-date and maintain and support it, they are free to do so. The plugin hook you are looking for is before:highlightElement.

  1. José e Maria Maria
  2. José J&M
Clone this wiki locally