From 0eea28bdb2fb4314c805d0d87f33e86a5c6eaa5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20M=C3=BCller?= <straightshoota@gmail.com>
Date: Wed, 22 Mar 2023 14:28:27 +0100
Subject: [PATCH] Fix `SyntaxHighlighter::HTML` to escape identifier values

---
 spec/std/crystal/syntax_highlighter/html_spec.cr | 2 +-
 src/crystal/syntax_highlighter/html.cr           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/std/crystal/syntax_highlighter/html_spec.cr b/spec/std/crystal/syntax_highlighter/html_spec.cr
index fc1a3d25672c..84e7c69ff410 100644
--- a/spec/std/crystal/syntax_highlighter/html_spec.cr
+++ b/spec/std/crystal/syntax_highlighter/html_spec.cr
@@ -73,7 +73,7 @@ describe Crystal::SyntaxHighlighter::HTML do
       == < <= > >= != =~ !~
       & | ^ ~ ** >> << %
     ).each do |op|
-      it_highlights %(def #{op}), %(<span class="k">def</span> <span class="m">#{op}</span>)
+      it_highlights %(def #{op}), %(<span class="k">def</span> <span class="m">#{HTML.escape(op)}</span>)
     end
 
     it_highlights %(def //), %(<span class="k">def</span> <span class="m">/</span><span class="m">/</span>)
diff --git a/src/crystal/syntax_highlighter/html.cr b/src/crystal/syntax_highlighter/html.cr
index f453895f25bb..3f146b662485 100644
--- a/src/crystal/syntax_highlighter/html.cr
+++ b/src/crystal/syntax_highlighter/html.cr
@@ -52,7 +52,7 @@ class Crystal::SyntaxHighlighter::HTML < Crystal::SyntaxHighlighter
     when .string?
       span "s" { ::HTML.escape(value, @io) }
     when .ident?
-      span "m", &.print value
+      span "m" { ::HTML.escape(value, @io) }
     when .keyword?, .self?
       span "k", &.print value
     when .primitive_literal?