From 4bbdb10080f381bb5c0d02e01951af783efb6074 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Wed, 15 Apr 2026 02:14:45 +0100
Subject: [PATCH] Harden StripTags against stray angle brackets

---
 pipeline.go      | 11 ++++++++++-
 pipeline_test.go |  8 ++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/pipeline.go b/pipeline.go
index bd5bf42..2b62418 100644
--- a/pipeline.go
+++ b/pipeline.go
@@ -32,7 +32,7 @@ func StripTags(html string) string {
 
 		switch r {
 		case '<':
-			if i+1 < len(runes) && isTagStartRune(runes[i+1]) {
+			if i+1 < len(runes) && isTagStartRune(runes[i+1]) && hasTagCloser(runes, i+2) {
 				inTag = true
 				continue
 			}
@@ -67,6 +67,15 @@ func isTagStartRune(r rune) bool {
 	}
 }
 
+func hasTagCloser(runes []rune, start int) bool {
+	for i := start; i < len(runes); i++ {
+		if runes[i] == '>' {
+			return true
+		}
+	}
+	return false
+}
+
 // Imprint renders a node tree to HTML, strips tags, tokenises the text,
 // and returns a GrammarImprint — the full render-reverse pipeline.
 // Usage example: imp := Imprint(Text("welcome"), NewContext())
diff --git a/pipeline_test.go b/pipeline_test.go
index 7450ee9..6dd0777 100644
--- a/pipeline_test.go
+++ b/pipeline_test.go
@@ -54,6 +54,14 @@ func TestStripTags_PreservesComparisonOperators_Good(t *testing.T) {
 	}
 }
 
+func TestStripTags_LiteralAngleBracket_Good(t *testing.T) {
+	got := StripTags(`a<b`)
+	want := `a<b`
+	if got != want {
+		t.Errorf("StripTags(literal angle) = %q, want %q", got, want)
+	}
+}
+
 func TestStripTags_Entities_Good(t *testing.T) {
 	got := StripTags(`&lt;script&gt;`)
 	want := "&lt;script&gt;"