From 26f630dfa1d78b5b05d2684f07cd557d64daa78a Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Mon, 2 Nov 2020 15:44:17 -0800
Subject: [PATCH] fenced_code: Escape code_language on output in wrapped_code.

Strings should be escaped at the point of interpolation into a
template, not before.  In this case, the early escape was hiding the
bug that code_language was only escaped if it was not found in
pygments_data.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 static/shared/js/fenced_code.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/static/shared/js/fenced_code.js b/static/shared/js/fenced_code.js
index 3f5fe4a125..22a086694e 100644
--- a/static/shared/js/fenced_code.js
+++ b/static/shared/js/fenced_code.js
@@ -46,8 +46,10 @@ export function wrap_code(code, lang) {
     // the `/shared` folder. To handle such a case we check if pygments data is empty and fallback to
     // using the default header if it is.
     if (lang !== undefined && lang !== "" && Object.keys(pygments_data).length > 0) {
-        const code_language = _.get(pygments_data, [lang, "pretty_name"], _.escape(lang));
-        header = `<div class="codehilite" data-code-language="${code_language}"><pre><span></span><code>`;
+        const code_language = _.get(pygments_data, [lang, "pretty_name"], lang);
+        header = `<div class="codehilite" data-code-language="${_.escape(
+            code_language,
+        )}"><pre><span></span><code>`;
     }
     // Trim trailing \n until there's just one left
     // This mirrors how pygments handles code input