How to not render html

Question

How to not render html

Opened this issue 2 years ago · 2 comments

I'd like to use your tool with some json files containing html code. But I'd like to see the code as code rather than rendered html. Is this currently possible ?

Answer 1 · 2022-08-31T08:21:40.000Z

Replacing
<div class="json-value json-${r}">${t}</div>
with
<div class="json-value json-${r}">${String(t).replace('>','>').replace('<','<')}</div>
seems to work.

Answer 2 · 2022-09-13T21:30:19.000Z

This is a serious problem of the library that does not do any kind of escape, the solution proposed by @kodiful is not a safe workaround.

Not all the necessary escapes have been made

.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;")

This bug needs to be fixed in the library and can lead to severe xss