From 5fb3f1a44b09d98fed518084a7a14ce0a18bbb9b Mon Sep 17 00:00:00 2001
From: Hikari <hikari@nhcarrigan.com>
Date: Wed, 25 Feb 2026 18:29:59 -0800
Subject: [PATCH] fix: escape raw HTML in markdown renderer (#169)

Prevents HTML tags from being rendered as live DOM elements in terminal
output. Overrides the marked codespan and html renderers to escape < and >
before inserting into the output HTML.
---
 src/lib/components/Markdown.svelte | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/lib/components/Markdown.svelte b/src/lib/components/Markdown.svelte
index 671ae48..7560e98 100644
--- a/src/lib/components/Markdown.svelte
+++ b/src/lib/components/Markdown.svelte
@@ -35,7 +35,12 @@
   };
 
   renderer.codespan = ({ text }) => {
-    return `<code class="hljs-inline">${text}</code>`;
+    const escaped = text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    return `<code class="hljs-inline">${escaped}</code>`;
+  };
+
+  renderer.html = ({ text }) => {
+    return text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
   };
 
   marked.setOptions({