#23 ALT/TITLE attributes for images should escape double quotes, angle brackets, ampersands - RedCloth

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#23 ✓resolved

ALT/TITLE attributes for images should escape double quotes, angle brackets, ampersands

Reported by Paweł Gościcki | July 25th, 2008 @ 05:52 PM | in 4.0.2

The following produces invalid markup:

RedCloth.new('!/pictures/picture.jpg(He said: "This is the alt text")!').to_html
=> "<p><img src="/pictures/picture.jpg" title="He said: "This is the alt text"" alt="He said: "This is the alt text"" /></p>"

End user is usually unaware that such image caption would render invalid markup, so escaping at least those three characters seems reasonable.

Btw: The redcloth.org Textile documentation is missing the Textile syntax for images.

Comments and changes to this ticket

You flagged this item as spam.
David Reese July 28th, 2008 @ 10:49 PM
Probably also true for ACRONYM, the other element that uses user-provided title. I can't tell if you'd want to just inline_html() the alt/title or not.
You flagged this item as spam.
VirtualFunction August 4th, 2008 @ 02:17 PM
While I've mentioned it to Jason, it happens that none of the attribute fields seem to be escaping HTML entities and the urlesc method was only handling ampersands.
This lead to the possible issue on inline styles with background-image sections (or anything using entities) that use single quotes (it's legit CSS, but older MS IE versions can't handle it). I managed to make sure it handles ' as ' entities instead of @’@, however this acts globally to all attributes including title, etc as it's hard to be contextually aware here. I thought I better post that here so others are aware if the fix I've put in gets merged.
Jason Garber August 4th, 2008 @ 04:43 PM
Fixed with a patch from VirtualFunction in 3530f0fb10
Jason Garber August 4th, 2008 @ 04:43 PM
- State changed from “new” to “resolved”
Jason Garber August 14th, 2008 @ 05:32 PM
- Milestone set to “4.0.2”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

RedCloth is a Ruby library for converting Textile into HTML

Shared Ticket Bins (Sort)

↓↑ drag 8 LaTeX
↓↑ drag 1 Documentation

People watching this ticket

Referenced by

71 ALT/TITLE attributes for images should accept round brackets as valid characters This is partially related to ticket #23.

Jgarber RedCloth → 4.0.2