fix: escape/textify the contents of inline and block code (#954)

composables/content-parse.ts

@@ -53,10 +53,13 @@ export function parseMastodonHTML(
     // Handle code blocks
     html = html
       .replace(/>(```|~~~)(\w*)([\s\S]+?)\1/g, (_1, _2, lang: string, raw: string) => {
-        const code = htmlToText(raw)
+        const code = htmlToText(raw).replace(/</g, '&lt;').replace(/>/g, '&gt;')
         const classes = lang ? ` class="language-${lang}"` : ''
         return `><pre><code${classes}>${code}</code></pre>`
       })
+      .replace(/`([^`\n]*)`/g, (_1, raw) => {
+        return raw ? `<code>${htmlToText(raw).replace(/</g, '&lt;').replace(/>/g, '&gt;')}</code>` : ''
+      })
   }
 
   // Always sanitize the raw HTML data *after* it has been modified