I was testing the addon-serialize serializeAsHTML functionality and noticed that it can produce invalid/unsafe html because it isn't escaping "<" and "&" characters in the output spans. Wrote a quick patch that escapes those two dangerous characters in the output.
Note that a lot of functions/libraries want to escape other characters (like quotes, greater than, etc.). These are only necessary to escape unless you are also worried about attribute values. These characters do not need to be escaped when you are only dealing with characters between tags (text content) which is the case here.
I added a test (which passes), but didn't put the more canonical "" test in because the test terminal only has 10 columns. All of the other serialize tests continue to pass.
I was testing the addon-serialize serializeAsHTML functionality and noticed that it can produce invalid/unsafe html because it isn't escaping "<" and "&" characters in the output spans. Wrote a quick patch that escapes those two dangerous characters in the output.
Note that a lot of functions/libraries want to escape other characters (like quotes, greater than, etc.). These are only necessary to escape unless you are also worried about attribute values. These characters do not need to be escaped when you are only dealing with characters between tags (text content) which is the case here.
I added a test (which passes), but didn't put the more canonical "" test in because the test terminal only has 10 columns. All of the other serialize tests continue to pass.