Skip to content

Commit

Permalink
fix: escape \includegraphics src and alt
Browse files Browse the repository at this point in the history
  • Loading branch information
edemaine committed Mar 24, 2024
1 parent 5677f37 commit c5897fc
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
11 changes: 6 additions & 5 deletions src/domTree.js
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,8 @@ export class Img implements VirtualNode {
}

toMarkup(): string {
let markup = `<img src='${this.src} 'alt='${this.alt}' `;
let markup = `<img src="${utils.escape(this.src)}"` +
` alt="${utils.escape(this.alt)}"`;

// Add the styles, after hyphenation
let styles = "";
Expand Down Expand Up @@ -512,7 +513,7 @@ export class SvgNode implements VirtualNode {
// Apply attributes
for (const attr in this.attributes) {
if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
markup += ` ${attr}='${this.attributes[attr]}'`;
markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`;
}
}

Expand Down Expand Up @@ -553,9 +554,9 @@ export class PathNode implements VirtualNode {

toMarkup(): string {
if (this.alternate) {
return `<path d='${this.alternate}'/>`;
return `<path d="${utils.escape(this.alternate)}"/>`;
} else {
return `<path d='${path[this.pathName]}'/>`;
return `<path d="${utils.escape(path[this.pathName])}"/>`;
}
}
}
Expand Down Expand Up @@ -586,7 +587,7 @@ export class LineNode implements VirtualNode {
for (const attr in this.attributes) {
if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
markup += ` ${attr}='${this.attributes[attr]}'`;
markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`;
}
}
Expand Down
12 changes: 12 additions & 0 deletions test/katex-spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -2096,6 +2096,18 @@ describe("An includegraphics builder", function() {
const built = getBuilt(img, trustSettings);
expect(built).toMatchSnapshot();
});

it("should escape source", () => {
const built = katex.renderToString(
"\\includegraphics{'\"}", trustSettings);
expect(built).toContain('<img src="&#x27;&quot;"');
});

it("should escape alt", () => {
const built = katex.renderToString(
"\\includegraphics[alt='\"]{image.png}", trustSettings);
expect(built).toContain('<img src="image.png" alt="&#x27;&quot;"');
});
});

describe("An HTML extension builder", function() {
Expand Down

0 comments on commit c5897fc

Please sign in to comment.