diff --git a/README.md b/README.md
index 15da957c..de105854 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,7 @@ gem 'rouge'
* `PlainTextInputFilter` - `escape_utils`
* `SanitizationFilter` - `sanitize`
* `SyntaxHighlightFilter` - `rouge`
+* `TableOfContentsFilter` - `escape_utils`
* `TextileFilter` - `RedCloth`
_Note:_ See [Gemfile](/Gemfile) `:test` block for version requirements.
diff --git a/lib/html/pipeline/toc_filter.rb b/lib/html/pipeline/toc_filter.rb
index 4b15e252..56b72cdd 100644
--- a/lib/html/pipeline/toc_filter.rb
+++ b/lib/html/pipeline/toc_filter.rb
@@ -1,3 +1,5 @@
+HTML::Pipeline.require_dependency('escape_utils', 'TableOfContentsFilter')
+
module HTML
class Pipeline
# HTML filter that adds an 'id' attribute to all headers
@@ -43,7 +45,7 @@ def call
uniq = headers[id] > 0 ? "-#{headers[id]}" : ''
headers[id] += 1
if header_content = node.children.first
- result[:toc] << %(#{text}\n)
+ result[:toc] << %(#{EscapeUtils.escape_html(text)}\n)
header_content.add_previous_sibling(%(#{anchor_icon}))
end
end
diff --git a/test/html/pipeline/toc_filter_test.rb b/test/html/pipeline/toc_filter_test.rb
index 4b4599fd..c6164cfa 100644
--- a/test/html/pipeline/toc_filter_test.rb
+++ b/test/html/pipeline/toc_filter_test.rb
@@ -92,6 +92,12 @@ def test_all_header_tags_are_found_when_adding_anchors
assert_equal 6, doc.search('a').size
end
+ def test_toc_outputs_escaped_html
+ @orig = %(<img src="x" onerror="alert(42)">
)
+
+ refute_includes toc, %(
)
+ end
+
def test_toc_is_complete
@orig = %("Funky President" by James Brown
"It's My Thing" by Marva Whitney
@@ -101,7 +107,7 @@ def test_toc_is_complete
"Ruthless Villain" by Eazy-E
"Be Thankful for What You Got" by William DeVaughn)
- expected = %()
+ expected = %()
assert_equal expected, toc
end