fix: escape image alt text (#3896)

UziTech · web-flow · commit 909fe442aadc · 2026-02-17T13:03:25.000-07:00
diff --git a/src/Renderer.ts b/src/Renderer.ts
@@ -182,7 +182,7 @@ export class _Renderer<ParserOutput = string, RendererOutput = string> {
     }
     href = cleanHref;
 
-    let out = `<img src="${href}" alt="${text}"`;
+    let out = `<img src="${href}" alt="${escape(text)}"`;
     if (title) {
       out += ` title="${escape(title)}"`;
     }
diff --git a/test/specs/new/image_alt.html b/test/specs/new/image_alt.html
@@ -0,0 +1 @@
+<p><img src="https://example.com/404.jpg" alt="&quot; onerror=&quot;alert('XSS')&quot;" /></p>
diff --git a/test/specs/new/image_alt.md b/test/specs/new/image_alt.md
@@ -0,0 +1 @@
+![" onerror="alert('XSS')"](https://example.com/404.jpg)

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ export class _Renderer<ParserOutput = string, RendererOutput = string> {`
`182`	`182`	`}`
`183`	`183`	`href = cleanHref;`
`184`	`184`
`185`		- let out = `<img src="${href}" alt="${text}"`;
	`185`	+ let out = `<img src="${href}" alt="${escape(text)}"`;
`186`	`186`	`if (title) {`
`187`	`187`	out += ` title="${escape(title)}"`;
`188`	`188`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<p><img src="https://example.com/404.jpg" alt="" onerror="alert('XSS')"" /></p>`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+![" onerror="alert('XSS')"](https://example.com/404.jpg)`