From f72a40f0958bd992278d80abe403d0871b3ba4a1 Mon Sep 17 00:00:00 2001
From: Roberto Alsina <roberto.alsina@gmail.com>
Date: Thu, 15 Aug 2024 17:12:29 -0300
Subject: [PATCH] Oops, escape things in HTML formatter!

---
 src/formatters/html.cr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/formatters/html.cr b/src/formatters/html.cr
index 1c8a245..715d793 100644
--- a/src/formatters/html.cr
+++ b/src/formatters/html.cr
@@ -1,5 +1,6 @@
 require "../constants/token_abbrevs.cr"
 require "../formatter"
+require "html"
 
 module Tartrazine
   class Html < Formatter
@@ -67,7 +68,7 @@ module Tartrazine
           line_id = linkable_line_numbers? ? "id=\"#{line_number_id_prefix}#{i + 1}\"" : ""
           outp << "<span #{line_id} #{line_class} style=\"user-select: none;\">#{line_label} </span>"
           line.each do |token|
-            fragment = "<span class=\"#{get_css_class(token[:type])}\">#{token[:value]}</span>"
+            fragment = "<span class=\"#{get_css_class(token[:type])}\">#{HTML.escape(token[:value])}</span>"
             outp << fragment
           end
         end