do not double-escape contents of <script> tags (#48)

markdown/func.go

@@ -60,7 +60,7 @@ func EvalMarkdownFuncs(ctx context.Context, htmlFragment []byte, opt Options) ([
 		}
 
 		if !invokedFunc {
-			buf.WriteString(tok.String())
+			buf.WriteString(tokenStringWithUnescapedText(tok))
 		}
 	}
 	return buf.Bytes(), nil

markdown/html.go

@@ -52,11 +52,23 @@ func rewriteRelativeURLsInHTML(htmlFragment []byte, opt Options) ([]byte, error)
 				}
 			}
 		}
-		buf.WriteString(tok.String())
+
+		buf.WriteString(tokenStringWithUnescapedText(tok))
 	}
 	return buf.Bytes(), nil
 }
 
+// tokenStringWithUnescapedText returns the HTML token string, except that if it is a text node, it
+// is not escaped. For example, a text node containing "&" will not have that character escaped to
+// "&". This prevents double-escaping of tokens when multiple HTML tokenizers run on the
+// content.
+func tokenStringWithUnescapedText(tok html.Token) string {
+	if tok.Type == html.TextToken {
+		return tok.Data
+	}
+	return tok.String()
+}
+
 // isOnlyHTMLComment reports whether htmlFragment consists only of zero or more HTML comments and whitespace.
 func isOnlyHTMLComment(htmlFragment []byte) bool {
 	z := html.NewTokenizer(bytes.NewReader(htmlFragment))

markdown/markdown_test.go

@@ -240,6 +240,16 @@ func TestRenderer(t *testing.T) {
 			t.Errorf("got %q, want %q", string(doc.HTML), want)
 		}
 	})
+	t.Run("inline javascript script tag", func(t *testing.T) {
+		doc, err := Run(ctx, []byte("<script>'a'</script>\n\na"), Options{Base: &url.URL{Path: "/"}})
+		if err != nil {
+			t.Fatal(err)
+		}
+		want := "<script>'a'</script>\n\n<p>a</p>\n"
+		if string(doc.HTML) != want {
+			t.Errorf("got %q, want %q", string(doc.HTML), want)
+		}
+	})
 	t.Run("list", func(t *testing.T) {
 		t.Run("bare items", func(t *testing.T) {
 			doc, err := Run(ctx, []byte(`