diff --git a/pygments/formatters/html.py b/pygments/formatters/html.py index 7174ad2dd7..17e6741452 100644 --- a/pygments/formatters/html.py +++ b/pygments/formatters/html.py @@ -18,6 +18,8 @@ from pygments.token import Token, Text, STANDARD_TYPES from pygments.util import get_bool_opt, get_int_opt, get_list_opt +import html + try: import ctags except ImportError: @@ -422,14 +424,14 @@ def __init__(self, **options): self.nowrap = get_bool_opt(options, 'nowrap', False) self.noclasses = get_bool_opt(options, 'noclasses', False) self.classprefix = options.get('classprefix', '') - self.cssclass = self._decodeifneeded(options.get('cssclass', 'highlight')) - self.cssstyles = self._decodeifneeded(options.get('cssstyles', '')) + self.cssclass = html.escape(self._decodeifneeded(options.get('cssclass', 'highlight'))) + self.cssstyles = html.escape(self._decodeifneeded(options.get('cssstyles', ''))) self.prestyles = self._decodeifneeded(options.get('prestyles', '')) self.cssfile = self._decodeifneeded(options.get('cssfile', '')) self.noclobber_cssfile = get_bool_opt(options, 'noclobber_cssfile', False) self.tagsfile = self._decodeifneeded(options.get('tagsfile', '')) self.tagurlformat = self._decodeifneeded(options.get('tagurlformat', '')) - self.filename = self._decodeifneeded(options.get('filename', '')) + self.filename = html.escape(self._decodeifneeded(options.get('filename', ''))) self.wrapcode = get_bool_opt(options, 'wrapcode', False) self.span_element_openers = {} self.debug_token_types = get_bool_opt(options, 'debug_token_types', False) @@ -452,9 +454,9 @@ def __init__(self, **options): self.linenostep = abs(get_int_opt(options, 'linenostep', 1)) self.linenospecial = abs(get_int_opt(options, 'linenospecial', 0)) self.nobackground = get_bool_opt(options, 'nobackground', False) - self.lineseparator = options.get('lineseparator', '\n') - self.lineanchors = options.get('lineanchors', '') - self.linespans = options.get('linespans', '') + self.lineseparator = html.escape(options.get('lineseparator', '\n')) + self.lineanchors = html.escape(options.get('lineanchors', '')) + self.linespans = html.escape(options.get('linespans', '')) self.anchorlinenos = get_bool_opt(options, 'anchorlinenos', False) self.hl_lines = set() for lineno in get_list_opt(options, 'hl_lines', []):