From 523f5776deba67f05a71f7c2b987f9f192523bed Mon Sep 17 00:00:00 2001 From: Alexander Medvednikov Date: Sat, 16 May 2026 16:34:03 +0300 Subject: [PATCH] highlight: fix capture-group indexing in markdown HTML sanitizer regex.get_all() returns the full match at index 0 and capture groups starting at 1, so the previous tag_parts[0]/parts[1] reads were returning the whole match where the sanitizer expected the tag name and attributes. Shift the indexes by one and guard the optional tag-content group, which is missing for self-closing tags. --- highlight/markdown.v | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/highlight/markdown.v b/highlight/markdown.v index 3a0e63e..83acfba 100644 --- a/highlight/markdown.v +++ b/highlight/markdown.v @@ -116,9 +116,9 @@ fn sanitize_html_tags_with_re(re string, code string) string { last_found_index = matched_start_index + tag.len tag_parts := matched.get_all() - tag_name := tag_parts[0].trim_space().to_lower() - tag_attributes := tag_parts[1].trim_space() - tag_content := tag_parts[2].trim_space() + tag_name := tag_parts[1].trim_space().to_lower() + tag_attributes := tag_parts[2].trim_space() + tag_content := if tag_parts.len > 3 { tag_parts[3].trim_space() } else { '' } is_allowed_tag := allowed_tags.contains(tag_name) if !is_allowed_tag { @@ -167,8 +167,8 @@ fn sanitize_html_attributes(attributes string) string { last_found_index += matched_start_index + attribute.len attribute_parts := matched.get_all() - attribute_name := attribute_parts[0].trim_space().to_lower() - attribute_value := attribute_parts[1].trim_space() + attribute_name := attribute_parts[1].trim_space().to_lower() + attribute_value := attribute_parts[2].trim_space() is_allowed_attribute := allowed_attributes.contains(attribute_name) is_unallowed_schemas := unallowed_schemas.any(attribute_value.starts_with(it)) -- 2.39.5