Merge pull request #415 from dotnet/EncodeAttributeValue

Html encode to the text that will be used as attributes value.
dotnet · Jun 22, 2016 · 6164c5c · 6164c5c
2 parents 419f7b8 + 08b16dc
commit 6164c5c
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/src/Microsoft.DocAsCode.MarkdownLite/HtmlRenderer.cs b/src/Microsoft.DocAsCode.MarkdownLite/HtmlRenderer.cs
@@ -231,7 +231,7 @@ public virtual StringBuffer Render(IMarkdownRenderer renderer, MarkdownLinkInlin
             var result = (StringBuffer)"<a href=\"" + token.Href + "\"";
             if (!string.IsNullOrEmpty(token.Title))
             {
-                result = result + " title=\"" + token.Title + "\"";
+                result = result + " title=\"" + StringHelper.HtmlEncode(token.Title) + "\"";
             }
             result += ">";
 
@@ -246,10 +246,10 @@ public virtual StringBuffer Render(IMarkdownRenderer renderer, MarkdownLinkInlin
 
         public virtual StringBuffer Render(IMarkdownRenderer renderer, MarkdownImageInlineToken token, MarkdownInlineContext context)
         {
-            var result = (StringBuffer)"<img src=\"" + token.Href + "\" alt=\"" + token.Text + "\"";
+            var result = (StringBuffer)"<img src=\"" + token.Href + "\" alt=\"" + StringHelper.HtmlEncode(token.Text) + "\"";
             if (!string.IsNullOrEmpty(token.Title))
             {
-                result = result + " title=\"" + token.Title + "\"";
+                result = result + " title=\"" + StringHelper.HtmlEncode(token.Title) + "\"";
             }
 
             result += renderer.Options.XHtml ? "/>" : ">";

diff --git a/test/Microsoft.DocAsCode.Dfm.Tests/DocfxFlavoredMarkdownTest.cs b/test/Microsoft.DocAsCode.Dfm.Tests/DocfxFlavoredMarkdownTest.cs
@@ -582,6 +582,30 @@ public void TestSection_AzureMultiSelector()
             Assert.Equal(expected.Replace("\r\n", "\n"), marked);
         }
 
+        [Fact]
+        [Trait("Related", "DfmMarkdown")]
+        public void TestDfmImageLink_WithSpecialCharactorsInAltText()
+        {
+            var source = @"![This is image alt text with quotation ' and double quotation ""hello"" world](girl.png)";
+
+            var expected = @"<p><img src=""girl.png"" alt=""This is image alt text with quotation &#39; and double quotation &quot;hello&quot; world""/></p>
+";
+            var marked = DocfxFlavoredMarked.Markup(source);
+            Assert.Equal(expected.Replace("\r\n", "\n"), marked);
+        }
+
+        [Fact]
+        [Trait("Related", "DfmMarkdown")]
+        public void TestDfmLink_WithSpecialCharactorsInTitle()
+        {
+            var source = @"[This is link text with quotation ' and double quotation ""hello"" world](girl.png ""title is ""hello"" world."")";
+
+            var expected = @"<p><a href=""girl.png"" title=""title is &amp;quot;hello&amp;quot; world."">This is link text with quotation &#39; and double quotation &quot;hello&quot; world</a></p>
+";
+            var marked = DocfxFlavoredMarked.Markup(source);
+            Assert.Equal(expected.Replace("\r\n", "\n"), marked);
+        }
+
         [Fact]
         [Trait("Related", "DfmMarkdown")]
         public void TestPathUtility_AbsoluteLinkWithBracketAndBrackt()

diff --git a/test/Microsoft.DocAsCode.MarkdownLite.Tests/GfmTest.cs b/test/Microsoft.DocAsCode.MarkdownLite.Tests/GfmTest.cs
@@ -547,6 +547,28 @@ public void TestTable_WithRefLink()
 </tr>
 </tbody>
 </table>
+";
+            TestGfmInGeneral(source, expected);
+        }
+
+        [Fact]
+        [Trait("Related", "Markdown")]
+        public void TestGfmImageLink_WithSpecialCharactorsInAltText()
+        {
+            var source = @"![This is image alt text with quotation ' and double quotation ""hello"" world](girl.png)";
+
+            var expected = @"<p><img src=""girl.png"" alt=""This is image alt text with quotation &#39; and double quotation &quot;hello&quot; world""></p>
+";
+            TestGfmInGeneral(source, expected);
+        }
+
+        [Fact]
+        [Trait("Related", "Markdown")]
+        public void TestGfmLink_WithSpecialCharactorsInTitle()
+        {
+            var source = @"[This is link text with quotation ' and double quotation ""hello"" world](girl.png ""title is ""hello"" world."")";
+
+            var expected = @"<p><a href=""girl.png"" title=""title is &amp;quot;hello&amp;quot; world."">This is link text with quotation &#39; and double quotation &quot;hello&quot; world</a></p>
 ";
             TestGfmInGeneral(source, expected);
         }