diff options
| author | (quasar) nebula <qznebula@protonmail.com> | 2025-10-20 12:38:41 -0300 |
|---|---|---|
| committer | (quasar) nebula <qznebula@protonmail.com> | 2025-10-20 12:38:41 -0300 |
| commit | f88043e17125affb9bb8e37d5b58e5a65e9c89d7 (patch) | |
| tree | 77d29ae865f2bc6d0624b563d1e4f0ea651f02fa /src/html.js | |
| parent | 263d55a57013214280dd9ea6f7cfb3e044355a5e (diff) | |
html: stricter escapeAttributeValue
Diffstat (limited to 'src/html.js')
| -rw-r--r-- | src/html.js | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/src/html.js b/src/html.js index 30b4d287..eb783ac6 100644 --- a/src/html.js +++ b/src/html.js @@ -1420,10 +1420,20 @@ export class Attributes { } #escapeAttributeValue(value) { - return value + // https://html.spec.whatwg.org/multipage/parsing.html#escapingString + + // assumes the containing attribute value token is written + // with double quotes + + value = value .toString() - .replaceAll('"', '"') - .replaceAll("'", '''); + .replaceAll('&', '&') + .replaceAll('\u00a0', ' ') + .replaceAll('<', '<') + .replaceAll('>', '>') + .replaceAll('"', '"'); + + return value; } static parse(string) { |