From e618e3c4ebf57dead7b2dab890941fdac538ab61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergio=20Mart=C3=ADnez=20Portela?=
 <sergio@codigoparallevar.com>
Date: Sat, 7 May 2022 23:44:37 +0200
Subject: [PATCH] HTML escape output.

---
 _scripts/generate.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/_scripts/generate.py b/_scripts/generate.py
index f5f328d..7b2aff0 100644
--- a/_scripts/generate.py
+++ b/_scripts/generate.py
@@ -144,7 +144,7 @@ def render_list_item(element, acc):
     acc.append("<li>")
     if element.tag is not None:
         acc.append("<span class='tag'>")
-        acc.append(element.tag)
+        acc.append(html.escape(element.tag))
         acc.append("</span>")
 
     acc.append("<span class='item'>")
@@ -154,7 +154,7 @@ def render_list_item(element, acc):
 
 def render_code_block(element, acc):
     acc.append('<pre><code>')
-    acc.append(element.lines)
+    acc.append(html.escape(element.lines))
     acc.append('</code></pre>')
 
 
@@ -168,11 +168,17 @@ def render_text_tokens(tokens, acc):
         if isinstance(chunk, str):
             acc.append('{}</span> '.format(chunk))
         elif isinstance(chunk, Link):
-            # @TODO: URLEscape
             link_target = chunk.value
             if link_target.startswith('id:'):
                 link_target = './' + link_target[3:] + '.node.html'
-            acc.append('<a href="{}">{}</a>'.format(link_target, chunk.description))
+            description = chunk.description
+            if description is None:
+                description = chunk.value
+
+            acc.append('<a href="{}">{}</a>'.format(
+                html.escape(link_target),
+                html.escape(description),
+            ))
         else:
             raise NotImplementedError('TextToken: {}'.format(chunk))