Merge pull request #31 from jkraemer/fix/footnote-html-escape

Author: haru

lib/wiki_extensions_div_macro.rb

@@ -22,8 +22,8 @@ module WikiExtensionsDivMacro
       " !{{div_start_tag(id_name, class_name)}}"
     macro :div_start_tag do |obj, args|
       o = '<div>' if args.length == 0
-      o = '<div id="' + args[0].strip + '">' if args.length == 1
-      o = '<div id="' + args[0].strip + '" class="' + args[1].strip + '">' if args.length == 2
+      o = '<div id="' + h(args[0].strip) + '">' if args.length == 1
+      o = '<div id="' + h(args[0].strip) + '" class="' + h(args[1].strip) + '">' if args.length == 2
       o.html_safe
     end
   end

lib/wiki_extensions_footnote.rb

@@ -39,7 +39,7 @@ def WikiExtensionsFootnote.preview_page
 
       o = ""
       o << word
-      o << '<a href="#wiki_extensins_fn_' +"#{data[:footnotes].length}" + '" class="wiki_extensions_fn" title="' + description + '" name="wiki_extensins_fn_src_' +"#{data[:footnotes].length}" + '">'
+      o << '<a href="#wiki_extensins_fn_' +"#{data[:footnotes].length}" + '" class="wiki_extensions_fn" title="' + h(description) + '" name="wiki_extensins_fn_src_' +"#{data[:footnotes].length}" + '">'
       o << "*#{data[:footnotes].length}"
       o << '</a>'
       return o.html_safe
@@ -60,7 +60,7 @@ def WikiExtensionsFootnote.preview_page
       cnt = 0
       data[:footnotes].each {|fn|
         cnt += 1
-        o << '<li><span class="wiki_extensions_fn">'+ "*#{cnt}</span> " +'<a name="wiki_extensins_fn_' + "#{cnt}" + '" href="#wiki_extensins_fn_src_' + "#{cnt}" + '"' + ">#{fn['word']}</a>:#{fn['description']}</li>"
+        o << '<li><span class="wiki_extensions_fn">'+ "*#{cnt}</span> " +'<a name="wiki_extensins_fn_' + "#{cnt}" + '" href="#wiki_extensins_fn_src_' + "#{cnt}" + '"' + ">#{fn['word']}</a>:#{h fn['description']}</li>"
       }
       o << '</ul>'
       o << '</div>'