From 8ccabb349e9a4569a6279980067048800f0cbe19 Mon Sep 17 00:00:00 2001
From: rolux <rolux@rolux.org>
Date: Fri, 22 Jun 2012 10:24:25 +0200
Subject: [PATCH] Ox.sanitizeHTML: decode html entities before encoding html
 entities; Ox.parseMarkdown: encode '<' in code spans and code blocks

---
 source/Ox/js/HTML.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/source/Ox/js/HTML.js b/source/Ox/js/HTML.js
index 8511e6ac..e7e6bc8c 100644
--- a/source/Ox/js/HTML.js
+++ b/source/Ox/js/HTML.js
@@ -403,14 +403,15 @@
                 /\n```(.*)\n([^`]+)\n```/g,
                 function(match, classname, code) {
                     return '<pre><code'
-                        + (classname ? ' class="' + classname + '"' : '')
-                        + '>' + code.trim() + '\n</code></pre>';
+                        + (classname ? ' class="' + classname + '"' : '') + '>'
+                        + code.trim().replace(/</g, '&lt;') + '\n</code></pre>';
                 }
             )
             .replace(
                 /(^|[^\\])(`+)([^\r]*?[^`])\2(?!`)/gm,
                 function(match, prev, backticks, code, next) {
-                    return prev + '<code>' + code.trim() + '</code>';
+                    return prev + '<code>'
+                        + code.trim().replace(/</g, '&lt;') + '</code>';
             	}
             )
             .replace(
@@ -489,7 +490,7 @@
                 });
             });
         });
-        html = Ox.encodeHTMLEntities(html);
+        html = Ox.encodeHTMLEntities(Ox.decodeHTMLEntities(html));
         matches.forEach(function(match, i) {
             html = html.replace(new RegExp(salt.join(i)), match);
         });