From ae01d64641bbf3413c91dc2ec175c983f7edfce2 Mon Sep 17 00:00:00 2001
From: lihbr <lihbr@users.noreply.github.com>
Date: Wed, 28 Jul 2021 10:54:19 +0200
Subject: [PATCH] fix: prevent XSS on image tag serialization

---
 package-lock.json     |  2 +-
 src/richtext.js       |  2 +-
 test/richtext.spec.js | 26 +++++++++++++++++++++-----
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 2986505..5163931 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "prismic-dom",
-  "version": "2.2.3",
+  "version": "2.2.5",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/src/richtext.js b/src/richtext.js
index c7a10b2..47408df 100644
--- a/src/richtext.js
+++ b/src/richtext.js
@@ -45,7 +45,7 @@ function serializeImage(linkResolver, element) {
   const linkUrl = element.linkTo ? LinkHelper.url(element.linkTo, linkResolver) : null;
   const linkTarget = element.linkTo && element.linkTo.target ? `target="${element.linkTo.target}" rel="noopener"` : '';
   const wrapperClassList = [element.label || '', 'block-img'];
-  const img = `<img src="${element.url}" alt="${element.alt || ''}" copyright="${element.copyright || ''}">`;
+  const img = `<img src="${element.url}" alt="${element.alt ? escapeHtml(element.alt) : ''}" copyright="${element.copyright ? escapeHtml(element.copyright) : ''}" />`;
 
   return (`
     <p class="${wrapperClassList.join(' ')}">
diff --git a/test/richtext.spec.js b/test/richtext.spec.js
index c5ce803..b6146be 100644
--- a/test/richtext.spec.js
+++ b/test/richtext.spec.js
@@ -44,7 +44,8 @@ const mock = [
         "url": "https://example.org\" onmouseover=\"alert(document.cookie);"
       }
     }]
-  },{
+  },
+  {
     "type": "paragraph",
     "text": "This is a normal link.",
     "spans": [{
@@ -56,7 +57,17 @@ const mock = [
         "url": "https://prismic.io"
       }
     }]
-  }
+  },
+  {
+		"type": "image",
+		"url": "https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format",
+		"alt": "An \"Atlantic\" Puffin",
+		"copyright": "\"unsplash\"",
+		"dimensions": {
+			"width": 2400,
+			"height": 1602
+		}
+	}
 ];
 
 describe('asText', function() {
@@ -68,7 +79,7 @@ describe('asText', function() {
     // Until pull request https://github.com/prismicio/prismic-richtext/pull/8
     // is released, we test for the old behaviour.
     it('should join blocks with one whitespace (default)', function()  {
-      expect(result).to.equal('A > B <example>\n  TEST\n</example> This is bold and italic and >:) both. This is a link with XSS. This is a normal link.');
+      expect(result).to.equal('A > B <example>\n  TEST\n</example> This is bold and italic and >:) both. This is a link with XSS. This is a normal link. ');
     });
   });
 
@@ -92,7 +103,8 @@ describe('asHtml', function() {
       '<pre>&lt;example&gt;\n  TEST\n&lt;/example&gt;</pre>',
       '<p>This is <strong>bold</strong> and <em>italic</em> and <em><strong>&gt;:) both</strong></em>.</p>',
       '<p>This is a <a  href="https://example.org&quot; onmouseover=&quot;alert(document.cookie);">link</a> with XSS.</p>',
-      '<p>This is a normal <a  href="https://prismic.io">link</a>.</p>'
+      '<p>This is a normal <a  href="https://prismic.io">link</a>.</p>',
+      '<p class=" block-img">\n      <img src="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format" alt="An &quot;Atlantic&quot; Puffin" copyright="&quot;unsplash&quot;" />\n    </p>'
     ];
 
     it('should contain the first paragraph with special character escaped', function() {
@@ -110,5 +122,9 @@ describe('asHtml', function() {
     it('should contain valid external link', function() {
       expect(result).have.string(expectations[4]);
     });
+
+    it('should contain valid image', function() {
+      expect(result).have.string(expectations[5]);
+    });
   });
-});
+});
\ No newline at end of file