From addb487edd8a14cf1885400c02da1366f34b99ac Mon Sep 17 00:00:00 2001
From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
Date: Tue, 10 Dec 2024 10:39:41 -0800
Subject: [PATCH] [CVE-2024-51735/GHSA-wvv7-wm5v-w2gv] Fix XSS In Markdown
 Resolver

---
 core/markdown.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/markdown.go b/core/markdown.go
index e32bde0..42a4b6a 100644
--- a/core/markdown.go
+++ b/core/markdown.go
@@ -2,6 +2,7 @@ package core
 
 import (
 	"path"
+	"text/template"
 
 	"fmt"
 	"os"
@@ -106,6 +107,9 @@ func (r *Runner) ResolveContentSrc(tag string) string {
 		fileContent := utils.GetFileContent(match[1])
 		utils.DebugF("Replace content src: %v", color.GreenString(match[1]))
 
+		// sanitize file content to prevent XSS
+		fileContent = template.HTMLEscapeString(fileContent)
+
 		if strings.Contains(tag, "expand=true") {
 			return "```\n" + fileContent + "```"
 		}