File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -315,7 +315,8 @@ export class Img implements VirtualNode {
315315 }
316316
317317 toMarkup ( ) : string {
318- let markup = `<img src='${ this . src } ${ this . alt } ;
318+ let markup = `<img src="${ utils . escape ( this . src ) } +
319+ ` alt="${ utils . escape ( this . alt ) } ;
319320
320321 // Add the styles, after hyphenation
321322 let styles = "" ;
@@ -512,7 +513,7 @@ export class SvgNode implements VirtualNode {
512513 // Apply attributes
513514 for ( const attr in this . attributes ) {
514515 if ( Object . prototype . hasOwnProperty . call ( this . attributes , attr ) ) {
515- markup += ` ${attr } = '${ this . attributes [ attr ] } ' `;
516+ markup += ` ${attr } = "${ utils . escape ( this . attributes [ attr ] ) } " `;
516517 }
517518 }
518519
@@ -553,9 +554,9 @@ export class PathNode implements VirtualNode {
553554
554555 toMarkup ( ) : string {
555556 if ( this . alternate ) {
556- return `< path d = '${ this . alternate } ' / > `;
557+ return `< path d = "${ utils . escape ( this . alternate ) } " / > `;
557558 } else {
558- return ` < path d = '${ path[this.pathName]}' / > `;
559+ return ` < path d = "${utils.escape( path[this.pathName])}" / > `;
559560 }
560561 }
561562}
@@ -586,7 +587,7 @@ export class LineNode implements VirtualNode {
586587
587588 for (const attr in this.attributes) {
588589 if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
589- markup += ` $ { attr } = '${ this . attributes [ attr ] } ' `;
590+ markup += ` $ { attr } = "${utils.escape( this.attributes[attr])}" `;
590591 }
591592 }
592593
Original file line number Diff line number Diff line change @@ -2096,6 +2096,18 @@ describe("An includegraphics builder", function() {
20962096 const built = getBuilt ( img , trustSettings ) ;
20972097 expect ( built ) . toMatchSnapshot ( ) ;
20982098 } ) ;
2099+
2100+ it ( "should escape source" , ( ) => {
2101+ const built = katex . renderToString (
2102+ "\\includegraphics{'\"}" , trustSettings ) ;
2103+ expect ( built ) . toContain ( '<img src="'""' ) ;
2104+ } ) ;
2105+
2106+ it ( "should escape alt" , ( ) => {
2107+ const built = katex . renderToString (
2108+ "\\includegraphics[alt='\"]{image.png}" , trustSettings ) ;
2109+ expect ( built ) . toContain ( '<img src="image.png" alt="'""' ) ;
2110+ } ) ;
20992111} ) ;
21002112
21012113describe ( "An HTML extension builder" , function ( ) {
You can’t perform that action at this time.
0 commit comments