#23 ✓resolved
Paweł Gościcki

ALT/TITLE attributes for images should escape double quotes, angle brackets, ampersands

Reported by Paweł Gościcki | July 25th, 2008 @ 05:52 PM | in 4.0.2

The following produces invalid markup:

RedCloth.new('!/pictures/picture.jpg(He said: "This is the alt text")!').to_html
=> "<p><img src="/pictures/picture.jpg" title="He said: "This is the alt text"" alt="He said: "This is the alt text"" /></p>"

End user is usually unaware that such image caption would render invalid markup, so escaping at least those three characters seems reasonable.

Btw: The redcloth.org Textile documentation is missing the Textile syntax for images.

Comments and changes to this ticket

  • David Reese

    David Reese July 28th, 2008 @ 10:49 PM

    Probably also true for ACRONYM, the other element that uses user-provided title. I can't tell if you'd want to just inline_html() the alt/title or not.

  • VirtualFunction

    VirtualFunction August 4th, 2008 @ 02:17 PM

    While I've mentioned it to Jason, it happens that none of the attribute fields seem to be escaping HTML entities and the urlesc method was only handling ampersands.

    This lead to the possible issue on inline styles with background-image sections (or anything using entities) that use single quotes (it's legit CSS, but older MS IE versions can't handle it). I managed to make sure it handles ' as ' entities instead of @’@, however this acts globally to all attributes including title, etc as it's hard to be contextually aware here. I thought I better post that here so others are aware if the fix I've put in gets merged.

  • Jason Garber

    Jason Garber August 4th, 2008 @ 04:43 PM

    Fixed with a patch from VirtualFunction in 3530f0fb10

  • Jason Garber

    Jason Garber August 4th, 2008 @ 04:43 PM

    • State changed from “new” to “resolved”
  • Jason Garber

    Jason Garber August 14th, 2008 @ 05:32 PM

    • Milestone set to 4.0.2

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

RedCloth is a Ruby library for converting Textile into HTML

Shared Ticket Bins


Referenced by