From f88043e17125affb9bb8e37d5b58e5a65e9c89d7 Mon Sep 17 00:00:00 2001
From: "(quasar) nebula" <qznebula@protonmail.com>
Date: Mon, 20 Oct 2025 12:38:41 -0300
Subject: html: stricter escapeAttributeValue

---
 src/html.js | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/html.js b/src/html.js
index 30b4d287..eb783ac6 100644
--- a/src/html.js
+++ b/src/html.js
@@ -1420,10 +1420,20 @@ export class Attributes {
   }
 
   #escapeAttributeValue(value) {
-    return value
+    // https://html.spec.whatwg.org/multipage/parsing.html#escapingString
+
+    // assumes the containing attribute value token is written
+    // with double quotes
+
+    value = value
       .toString()
-      .replaceAll('"', '&quot;')
-      .replaceAll("'", '&apos;');
+      .replaceAll('&', '&amp;')
+      .replaceAll('\u00a0', '&nbsp;')
+      .replaceAll('<', '&lt;')
+      .replaceAll('>', '&gt;')
+      .replaceAll('"', '&quot;');
+
+    return value;
   }
 
   static parse(string) {
-- 
cgit 1.3.0-6-gf8a5