HTML escape output.

_scripts/generate.py

@@ -144,7 +144,7 @@ def render_list_item(element, acc):
     acc.append("<li>")
     if element.tag is not None:
         acc.append("<span class='tag'>")
-        acc.append(element.tag)
+        acc.append(html.escape(element.tag))
         acc.append("</span>")
 
     acc.append("<span class='item'>")
@@ -154,7 +154,7 @@ def render_list_item(element, acc):
 
 def render_code_block(element, acc):
     acc.append('<pre><code>')
-    acc.append(element.lines)
+    acc.append(html.escape(element.lines))
     acc.append('</code></pre>')
 
 
@@ -168,11 +168,17 @@ def render_text_tokens(tokens, acc):
         if isinstance(chunk, str):
             acc.append('{}</span> '.format(chunk))
         elif isinstance(chunk, Link):
-            # @TODO: URLEscape
             link_target = chunk.value
             if link_target.startswith('id:'):
                 link_target = './' + link_target[3:] + '.node.html'
-            acc.append('<a href="{}">{}</a>'.format(link_target, chunk.description))
+            description = chunk.description
+            if description is None:
+                description = chunk.value
+
+            acc.append('<a href="{}">{}</a>'.format(
+                html.escape(link_target),
+                html.escape(description),
+            ))
         else:
             raise NotImplementedError('TextToken: {}'.format(chunk))