Fix breaking out of code (text) w/ potential flow after eols

Closes GH-13.

Author: wooorm

lib/handle/inline-code.js

@@ -1,10 +1,16 @@
 module.exports = inlineCode
 inlineCode.peek = inlineCodePeek
 
-function inlineCode(node) {
+var compilePattern = require('../util/compile-pattern')
+
+function inlineCode(node, parent, context) {
   var value = node.value || ''
   var sequence = '`'
-  var pad = ''
+  var index = -1
+  var pattern
+  var expression
+  var match
+  var position
 
   // If there is a single grave accent on its own in the code, use a fence of
   // two.
@@ -20,10 +26,42 @@ function inlineCode(node) {
     (/[ \r\n`]/.test(value.charAt(0)) ||
       /[ \r\n`]/.test(value.charAt(value.length - 1)))
   ) {
-    pad = ' '
+    value = ' ' + value + ' '
+  }
+
+  // We have a potential problem: certain characters after eols could result in
+  // blocks being seen.
+  // For example, if someone injected the string `'\n# b'`, then that would
+  // result in an ATX heading.
+  // We can’t escape characters in `inlineCode`, but because eols are
+  // transformed to spaces when going from markdown to HTML anyway, we can swap
+  // them out.
+  while (++index < context.unsafe.length) {
+    pattern = context.unsafe[index]
+
+    // Only look for `atBreak`s.
+    // Btw: note that `atBreak` patterns will always start the regex at LF or
+    // CR.
+    if (!pattern.atBreak) continue
+
+    expression = compilePattern(pattern)
+
+    while ((match = expression.exec(value))) {
+      position = match.index
+
+      // Support CRLF (patterns only look for one of the characters).
+      if (
+        value.charCodeAt(position) === 10 /* `\n` */ &&
+        value.charCodeAt(position - 1) === 13 /* `\r` */
+      ) {
+        position--
+      }
+
+      value = value.slice(0, position) + ' ' + value.slice(match.index + 1)
+    }
   }
 
-  return sequence + pad + value + pad + sequence
+  return sequence + value + sequence
 }
 
 function inlineCodePeek() {

lib/util/compile-pattern.js

@@ -0,0 +1,25 @@
+module.exports = compilePattern
+
+function compilePattern(pattern) {
+  var before
+  var after
+
+  if (!pattern._compiled) {
+    before = pattern.before ? '(?:' + pattern.before + ')' : ''
+    after = pattern.after ? '(?:' + pattern.after + ')' : ''
+
+    if (pattern.atBreak) {
+      before = '[\\r\\n][\\t ]*' + before
+    }
+
+    pattern._compiled = new RegExp(
+      (before ? '(' + before + ')' : '') +
+        (/[|\\{}()[\]^$+*?.-]/.test(pattern.character) ? '\\' : '') +
+        pattern.character +
+        (after || ''),
+      'g'
+    )
+  }
+
+  return pattern._compiled
+}

lib/util/safe.js

@@ -1,5 +1,7 @@
 module.exports = safe
 
+var compilePattern = require('./compile-pattern')
+
 function safe(context, input, config) {
   var value = (config.before || '') + (input || '') + (config.after || '')
   var positions = []
@@ -25,8 +27,7 @@ function safe(context, input, config) {
       continue
     }
 
-    expression =
-      pattern._compiled || (pattern._compiled = toExpression(pattern))
+    expression = compilePattern(pattern)
 
     while ((match = expression.exec(value))) {
       before = 'before' in pattern || pattern.atBreak
@@ -126,23 +127,6 @@ function inScope(stack, list, none) {
   return false
 }
 
-function toExpression(pattern) {
-  var before = pattern.before ? '(?:' + pattern.before + ')' : ''
-  var after = pattern.after ? '(?:' + pattern.after + ')' : ''
-
-  if (pattern.atBreak) {
-    before = '[\\r\\n][\\t ]*' + before
-  }
-
-  return new RegExp(
-    (before ? '(' + before + ')' : '') +
-      (/[|\\{}()[\]^$+*?.-]/.test(pattern.character) ? '\\' : '') +
-      pattern.character +
-      (after || ''),
-    'g'
-  )
-}
-
 function numerical(a, b) {
   return a - b
 }

test.js

@@ -1363,6 +1363,36 @@ test('Code text', function (t) {
     'should pad w/ a space if the value ends w/ a space'
   )
 
+  t.equal(
+    to({type: 'inlineCode', value: 'a\n-'}),
+    '`a -`\n',
+    'should prevent breaking out of code (-)'
+  )
+
+  t.equal(
+    to({type: 'inlineCode', value: 'a\n#'}),
+    '`a #`\n',
+    'should prevent breaking out of code (#)'
+  )
+
+  t.equal(
+    to({type: 'inlineCode', value: 'a\n1. '}),
+    '` a 1.  `\n',
+    'should prevent breaking out of code (\\d\\.)'
+  )
+
+  t.equal(
+    to({type: 'inlineCode', value: 'a\r-'}),
+    '`a -`\n',
+    'should prevent breaking out of code (cr)'
+  )
+
+  t.equal(
+    to({type: 'inlineCode', value: 'a\r\n-'}),
+    '`a -`\n',
+    'should prevent breaking out of code (crlf)'
+  )
+
   t.end()
 })