diff --git a/djangoapps/simplewiki/mdx_circuit.py b/djangoapps/simplewiki/mdx_circuit.py
index 72e432012f..b598e184c6 100755
--- a/djangoapps/simplewiki/mdx_circuit.py
+++ b/djangoapps/simplewiki/mdx_circuit.py
@@ -10,6 +10,7 @@ import re
import simplewiki.settings as settings
+from django.utils.html import escape
from mitxmako.shortcuts import render_to_response, render_to_string
@@ -56,8 +57,9 @@ class CircuitPreprocessor(markdown.preprocessors.Preprocessor):
class CircuitLink(markdown.inlinepatterns.Pattern):
def handleMatch(self, m):
data = m.group('data')
+ data = escape(data)
##TODO: We need to html escape the data
- return etree.fromstring("")
+ return etree.fromstring("")
def makeExtension(configs=None) :
diff --git a/static/js/CodeMirror/mitx_markdown.js b/static/js/CodeMirror/mitx_markdown.js
index 9991a4f05c..9674d52264 100644
--- a/static/js/CodeMirror/mitx_markdown.js
+++ b/static/js/CodeMirror/mitx_markdown.js
@@ -58,20 +58,28 @@ CodeMirror.defineMode("mitx_markdown", function(cmCfg, modeCfg) {
, strong = 'strong'
, emstrong = 'emstrong';
+ function escapeHtml(unsafe) {
+ return unsafe
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ }
+
var circuit_formatter = {
creator: function(text) {
var circuit_value = text.match(circuitRE)[1]
- //TODO: We need real html escaping here
- circuit_value = CodeMirror.htmlEscape(circuit_value);// circuit_value.replace("\"", "'");
+ circuit_value = escapeHtml(circuit_value);
var html = "" +
- "";
+ "";
return html;
},
size: function(text) {
- return {width: 150, height:154};
+ return {width: 150, height:152};
},
callback: function(node, line) {
update_schematics();