diff options
| author |  Matt Kane <m@mk.gg>
| 2025-03-03 10:56:18 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-03-03 10:56:18 +0000 |
| commit | 50e2e0b3749d6dba3d301ea1a0a3a33a273e7a81 (patch) | |
| tree | aecdb93c902908f92a4bd86664b2de113147595d | |
| parent | 8483502bb222858af96304a35f5d94b450d2e132 (diff) | |
| download | astro-50e2e0b3749d6dba3d301ea1a0a3a33a273e7a81.tar.gz astro-50e2e0b3749d6dba3d301ea1a0a3a33a273e7a81.tar.zst astro-50e2e0b3749d6dba3d301ea1a0a3a33a273e7a81.zip | |
fix: escape img attributes in Markdown (#13349)
| -rw-r--r-- | .changeset/fuzzy-planes-collect.md | 5 | ||||
| -rw-r--r-- | packages/astro/src/content/runtime.ts | 4 | ||||
| -rw-r--r-- | packages/astro/test/content-layer.test.js | 4 | ||||
| -rw-r--r-- | packages/astro/test/fixtures/content-layer/src/content/space/lunar-module.md | 2 |
4 files changed, 14 insertions, 1 deletions
diff --git a/.changeset/fuzzy-planes-collect.md b/.changeset/fuzzy-planes-collect.md new file mode 100644 index 000000000..f54d4fc09 --- /dev/null +++ b/.changeset/fuzzy-planes-collect.md @@ -0,0 +1,5 @@ +--- +'astro': patch +--- + +Correctly escapes attributes in Markdown images diff --git a/packages/astro/src/content/runtime.ts b/packages/astro/src/content/runtime.ts index 52aaec642..b3089275c 100644 --- a/packages/astro/src/content/runtime.ts +++ b/packages/astro/src/content/runtime.ts @@ -6,6 +6,8 @@ import type { GetImageResult, ImageMetadata } from '../assets/types.js'; import { imageSrcToImportId } from '../assets/utils/resolveImports.js'; import { AstroError, AstroErrorData, AstroUserError } from '../core/errors/index.js'; import { prependForwardSlash } from '../core/path.js'; +import { escape } from 'html-escaper'; + import { type AstroComponentFactory, createComponent, @@ -451,7 +453,7 @@ async function updateImageReferencesInBody(html: string, fileName: string) { src: image.src, srcset: image.srcSet.attribute, }) - .map(([key, value]) => (value ? `${key}=${JSON.stringify(String(value))}` : '')) + .map(([key, value]) => (value ? `${key}="${escape(value)}"` : '')) .join(' '); }); } diff --git a/packages/astro/test/content-layer.test.js b/packages/astro/test/content-layer.test.js index 82b576bda..2ae372137 100644 --- a/packages/astro/test/content-layer.test.js +++ b/packages/astro/test/content-layer.test.js @@ -252,6 +252,10 @@ describe('Content Layer', () => { assert.ok($('img[alt="shuttle"]').attr('src').startsWith('/_astro')); }); + it('escapes alt text in markdown', async () => { + assert.equal($('img[alt^="xss"]').attr('alt'), 'xss "><script>alert(1)</script>'); + }); + it('returns a referenced entry', async () => { assert.ok(json.hasOwnProperty('referencedEntry')); assert.deepEqual(json.referencedEntry, { diff --git a/packages/astro/test/fixtures/content-layer/src/content/space/lunar-module.md b/packages/astro/test/fixtures/content-layer/src/content/space/lunar-module.md index 780106de4..2d6d23853 100644 --- a/packages/astro/test/fixtures/content-layer/src/content/space/lunar-module.md +++ b/packages/astro/test/fixtures/content-layer/src/content/space/lunar-module.md @@ -13,3 +13,5 @@ The Lunar Module (LM, pronounced "Lem"), originally designated the Lunar Excursi   + + |