commit e46e9ceb29581de3a32c8155f7cfd58ab59b2b8f
parent 883e71c96a8b0004943d26e73c830061a2ae872c
Author: Joe Mooring <joe.mooring@veriphor.com>
Date: Wed, 2 Mar 2022 09:30:57 -0800
markup/goldmark: Escape image alt attribute
Fixes #9594
Diffstat:
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go
@@ -394,3 +394,32 @@ FENCE
builders[i].Build()
}
}
+
+// Issue 9594
+func TestQuotesInImgAltAttr(t *testing.T) {
+ t.Parallel()
+
+ files := `
+-- config.toml --
+[markup.goldmark.extensions]
+ typographer = false
+-- content/p1.md --
+---
+title: "p1"
+---
+
+-- layouts/_default/single.html --
+{{ .Content }}
+`
+
+ b := hugolib.NewIntegrationTestBuilder(
+ hugolib.IntegrationTestConfig{
+ T: t,
+ TxtarString: files,
+ },
+ ).Build()
+
+ b.AssertFileContent("public/p1/index.html", `
+ <img src="b.jpg" alt=""a"">
+ `)
+}
diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go
@@ -175,7 +175,7 @@ func (r *hookedRenderer) renderImageDefault(w util.BufWriter, source []byte, nod
_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
}
_, _ = w.WriteString(`" alt="`)
- _, _ = w.Write(n.Text(source))
+ _, _ = w.Write(util.EscapeHTML(n.Text(source)))
_ = w.WriteByte('"')
if n.Title != nil {
_, _ = w.WriteString(` title="`)