From d54b3398096a44172a72baeb542c3a36dd7280c0 Mon Sep 17 00:00:00 2001
From: Dmitry Klimensky <klimensky@gmail.com>
Date: Tue, 10 Aug 2021 16:14:37 +0300
Subject: [PATCH] Escape values of HTML attributes

---
 lib/discourse_diff.rb                  | 2 +-
 spec/components/discourse_diff_spec.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/discourse_diff.rb b/lib/discourse_diff.rb
index cdf37870201..3887abe134c 100644
--- a/lib/discourse_diff.rb
+++ b/lib/discourse_diff.rb
@@ -256,7 +256,7 @@ class DiscourseDiff
     USELESS_TAGS = %w{html body}
     def start_element(name, attributes = [])
       return if USELESS_TAGS.include?(name)
-      attrs = attributes.map { |a| " #{a[0]}=\"#{a[1]}\"" }.join
+      attrs = attributes.map { |a| " #{a[0]}=\"#{CGI::escapeHTML(a[1])}\"" }.join
       @tokens << "<#{name}#{attrs}>"
     end
 
diff --git a/spec/components/discourse_diff_spec.rb b/spec/components/discourse_diff_spec.rb
index d8683decc85..7f7d61ed9dc 100644
--- a/spec/components/discourse_diff_spec.rb
+++ b/spec/components/discourse_diff_spec.rb
@@ -107,6 +107,11 @@ describe DiscourseDiff do
       expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p><del>&#39;</del></p></div><div class=\"revision-content\"><p></p></div>")
     end
 
+    it "escapes attribute values" do
+      before = "<p data-attr='Some \"quoted\" string'></p>"
+      after = "<p data-attr='Some \"quoted\" string'></p>"
+      expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div><div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div>")
+    end
   end
 
   describe "side_by_side_markdown" do