Only allow valid HTML entities to be unescaped. Do not escape HTML entities in code blocks.

esc.go

@@ -13,12 +13,20 @@ var htmlEscaper = [256][]byte{
 }
 
 func escapeHTML(w io.Writer, s []byte) {
+	escapeEntities(w, s, false)
+}
+
+func escapeAllHTML(w io.Writer, s []byte) {
+	escapeEntities(w, s, true)
+}
+
+func escapeEntities(w io.Writer, s []byte, escapeValidEntities bool) {
 	var start, end int
 	for end < len(s) {
 		escSeq := htmlEscaper[s[end]]
 		if escSeq != nil {
 			isEntity, entityEnd := nodeIsEntity(s, end)
-			if isEntity {
+			if isEntity && !escapeValidEntities {
 				w.Write(s[start : entityEnd+1])
 				start = entityEnd + 1
 			} else {
@@ -41,9 +49,11 @@ func nodeIsEntity(s []byte, end int) (isEntity bool, endEntityPos int) {
 	if s[end] == '&' {
 		for endEntityPos < len(s) {
 			if s[endEntityPos] == ';' {
+				if entities[string(s[end:endEntityPos+1])] {
 					isEntity = true
 					break
 				}
+			}
 			if !isalnum(s[endEntityPos]) && s[endEntityPos] != '&' && s[endEntityPos] != '#' {
 				break
 			}

html.go

@@ -616,7 +616,7 @@ func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkSt
 		}
 	case Code:
 		r.out(w, codeTag)
-		escapeHTML(w, node.Literal)
+		escapeAllHTML(w, node.Literal)
 		r.out(w, codeCloseTag)
 	case Document:
 		break
@@ -762,7 +762,7 @@ func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkSt
 		r.cr(w)
 		r.out(w, preTag)
 		r.tag(w, codeTag[:len(codeTag)-1], attrs)
-		escapeHTML(w, node.Literal)
+		escapeAllHTML(w, node.Literal)
 		r.out(w, codeCloseTag)
 		r.out(w, preCloseTag)
 		if node.Parent.Type != Item {