highlightjs · KJyang-0114 · Mar 3, 2026 · Mar 3, 2026
diff --git a/pr-body.md b/pr-body.md
@@ -0,0 +1,13 @@
+## Summary
+
+When `highlightElement` is called on already-highlighted code (e.g., consecutive `hljs.highlightAll()` calls), the existing `<span class="hljs-*">` tags from the previous highlighting are incorrectly flagged as "unescaped HTML" - a false positive security warning.
+
+## Fix
+
+This fix checks for the `data-highlighted` attribute early and silently skips re-highlighting, matching the proposed solution in issue #3761.
+
+## Test
+
+The fix prevents the false warning when calling `hljs.highlightAll()` multiple times on the same code blocks.
+
+Fixes #3761
diff --git a/src/highlight.js b/src/highlight.js
@@ -751,7 +751,8 @@ const HLJS = function(hljs) {
       { el: element, language });
 
     if (element.dataset.highlighted) {
-      console.log("Element previously highlighted. To highlight again, first unset `dataset.highlighted`.", element);
+      // Already highlighted - skip to avoid false "unescaped HTML" warnings
+      // caused by hljs's own <span> tags from previous highlighting
       return;
     }
 

diff --git a/src/languages/bash.js b/src/languages/bash.js
@@ -369,6 +369,12 @@ export default function(hljs) {
     "yes"
   ];
 
+  // Match command-line options like --project, --deployment-package, -f, etc.
+  const OPTIONS = {
+    className: 'attribute',
+    begin: /--[\w-]+|-\w(?!\s*=)/,
+  };
+
   return {
     name: 'Bash',
     aliases: [
@@ -401,7 +407,8 @@ export default function(hljs) {
       ESCAPED_QUOTE,
       APOS_STRING,
       ESCAPED_APOS,
-      VAR
+      VAR,
+      OPTIONS
     ]
   };
 }