From 991e78f7c4220b2f8da042877c6f0ef5a4683be0 Mon Sep 17 00:00:00 2001
From: Forbes Lindesay <forbes@lindesay.co.uk>
Date: Sun, 28 Feb 2021 18:21:18 +0000
Subject: [PATCH] fix: sanitise and escape the `pretty` option (#3314)

---
 packages/pug-code-gen/index.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/packages/pug-code-gen/index.js b/packages/pug-code-gen/index.js
index a75929ce9..de5c70a72 100644
--- a/packages/pug-code-gen/index.js
+++ b/packages/pug-code-gen/index.js
@@ -57,6 +57,11 @@ function Compiler(node, options) {
   if (this.pp && typeof this.pp !== 'string') {
     this.pp = '  ';
   }
+  if (this.pp && !/^\s+$/.test(this.pp)) {
+    throw new Error(
+      'The pretty parameter should either be a boolean or whitespace only string'
+    );
+  }
   this.debug = false !== options.compileDebug;
   this.indents = 0;
   this.parentIndents = 0;
@@ -452,7 +457,9 @@ Compiler.prototype = {
   visitMixinBlock: function(block) {
     if (this.pp)
       this.buf.push(
-        "pug_indent.push('" + Array(this.indents + 1).join(this.pp) + "');"
+        'pug_indent.push(' +
+          stringify(Array(this.indents + 1).join(this.pp)) +
+          ');'
       );
     this.buf.push('block && block();');
     if (this.pp) this.buf.push('pug_indent.pop();');
@@ -504,7 +511,9 @@ Compiler.prototype = {
       this.mixins[key].used = true;
       if (pp)
         this.buf.push(
-          "pug_indent.push('" + Array(this.indents + 1).join(pp) + "');"
+          'pug_indent.push(' +
+            stringify(Array(this.indents + 1).join(pp)) +
+            ');'
         );
       if (block || attrs.length || attrsBlocks.length) {
         this.buf.push(name + '.call({');