Merge pull request #145 from jsteuer/master

html escape img alt attribute
2025-03-04 23:04:52 +00:00 · 2020-07-13 17:13:30 +09:00 · 2020-07-13 17:13:30 +09:00 · b7f25d6cd9
commit b7f25d6cd9
parent b24f9b4dd7 b91c802b8c
2 changed files with 18 additions and 1 deletions
--- a/_test/extra.txt
+++ b/_test/extra.txt
@ -142,3 +142,20 @@ bbb
 //- - - - - - - - -//
 <p><code>{%</code><em>name</em><code>%}</code></p>
 //= = = = = = = = = = = = = = = = = = = = = = = =//
+
+
+
+12: the alt attribute of img should be escaped
+//- - - - - - - - -//
+!["](quot.jpg)
+!['](apos.jpg)
+![<](lt.jpg)
+![>](gt.jpg)
+![&](amp.jpg) 
+//- - - - - - - - -//
+<p><img src="quot.jpg" alt="&quot;" />
+<img src="apos.jpg" alt="'" />
+<img src="lt.jpg" alt="&lt;" />
+<img src="gt.jpg" alt="&gt;" />
+<img src="amp.jpg" alt="&amp;" /></p>
+//= = = = = = = = = = = = = = = = = = = = = = = =//
--- a/renderer/html/html.go
+++ b/renderer/html/html.go
@ -564,7 +564,7 @@ func (r *Renderer) renderImage(w util.BufWriter, source []byte, node ast.Node, e
 		_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
 	}
 	_, _ = w.WriteString(`" alt="`)
-	_, _ = w.Write(n.Text(source))
+	_, _ = w.Write(util.EscapeHTML(n.Text(source)))
 	_ = w.WriteByte('"')
 	if n.Title != nil {
 		_, _ = w.WriteString(` title="`)