Fix dart-lang#586: encode image tag's src attribute

tomyeh · Feb 23, 2024 · c39670e · c39670e
1 parent d735b0b
commit c39670e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/src/inline_syntaxes/image_syntax.dart b/lib/src/inline_syntaxes/image_syntax.dart
@@ -24,7 +24,9 @@ class ImageSyntax extends LinkSyntax {
   }) {
     final element = Element.empty('img');
     final children = getChildren();
-    element.attributes['src'] = destination;
+    element.attributes['src'] = normalizeLinkDestination(
+      escapePunctuation(destination),
+    );
     element.attributes['alt'] = children.map((node) {
       // See https://spec.commonmark.org/0.30/#image-description.
       // An image description may contain links. Fetch text from the alt

diff --git a/test/original/inline_images.unit b/test/original/inline_images.unit
@@ -18,3 +18,8 @@
 
 <<<
 <p><img src="http://foo.com/foo.png" alt="alt" /></p>
+>>> XSS
+![Uh oh...]("onerror="alert('XSS'))
+
+<<<
+<p><img src="%22onerror=%22alert('XSS')" alt="Uh oh..." /></p>