From 3aefb2ebdad54f1baa6bd28296db0fa3b0d7e896 Mon Sep 17 00:00:00 2001
From: mkpaz <quizynox@gmail.com>
Date: Wed, 17 May 2023 15:00:57 +0400
Subject: [PATCH] Escape HTML before setting content to CodeViewer

---
 .../java/atlantafx/sampler/page/CodeViewer.java | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/sampler/src/main/java/atlantafx/sampler/page/CodeViewer.java b/sampler/src/main/java/atlantafx/sampler/page/CodeViewer.java
index 6e334a1..8c0def5 100644
--- a/sampler/src/main/java/atlantafx/sampler/page/CodeViewer.java
+++ b/sampler/src/main/java/atlantafx/sampler/page/CodeViewer.java
@@ -56,7 +56,7 @@ public class CodeViewer extends AnchorPane {
                 .append("<body>")
                 .append("<pre>")
                 .append("<code class=\"language-java\">")
-                .append(new String(source.readAllBytes(), UTF_8))
+                .append(escapeHtml(new String(source.readAllBytes(), UTF_8)))
                 .append("</code>")
                 .append("</pre>")
                 .append("</body>")
@@ -69,4 +69,19 @@ public class CodeViewer extends AnchorPane {
             throw new RuntimeException(e);
         }
     }
+
+    private String escapeHtml(String s) {
+        var out = new StringBuilder(Math.max(128, s.length()));
+        for (int i = 0; i < s.length(); i++) {
+            char c = s.charAt(i);
+            if (c > 127 || c == '"' || c == '\'' || c == '<' || c == '>' || c == '&') {
+                out.append("&#");
+                out.append((int) c);
+                out.append(';');
+            } else {
+                out.append(c);
+            }
+        }
+        return out.toString();
+    }
 }