html renderer: Don't preserve entities when rendering...

href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. `&colon;`, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
commonmark · Mar 21, 2019 · c89b35c · c89b35c
1 parent 5181f25
commit c89b35c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/lib/render/html.js b/lib/render/html.js
@@ -62,10 +62,10 @@ function link(node, entering) {
   var attrs = this.attrs(node);
   if (entering) {
     if (!(this.options.safe && potentiallyUnsafe(node.destination))) {
-      attrs.push(['href', this.esc(node.destination, true)]);
+      attrs.push(['href', this.esc(node.destination, false)]);
     }
     if (node.title) {
-      attrs.push(['title', this.esc(node.title, true)]);
+      attrs.push(['title', this.esc(node.title, false)]);
     }
     this.tag('a', attrs);
   } else {
@@ -79,7 +79,7 @@ function image(node, entering) {
       if (this.options.safe && potentiallyUnsafe(node.destination)) {
         this.lit('<img src="" alt="');
       } else {
-        this.lit('<img src="' + this.esc(node.destination, true) +
+        this.lit('<img src="' + this.esc(node.destination, false) +
             '" alt="');
       }
     }
@@ -88,7 +88,7 @@ function image(node, entering) {
     this.disableTags -= 1;
     if (this.disableTags === 0) {
       if (node.title) {
-        this.lit('" title="' + this.esc(node.title, true));
+        this.lit('" title="' + this.esc(node.title, false));
       }
       this.lit('" />');
     }
@@ -143,7 +143,7 @@ function code_block(node) {
   var info_words = node.info ? node.info.split(/\s+/) : []
     , attrs = this.attrs(node);
   if (info_words.length > 0 && info_words[0].length > 0) {
-    attrs.push(['class', 'language-' + this.esc(info_words[0], true)]);
+    attrs.push(['class', 'language-' + this.esc(info_words[0], false)]);
   }
   this.cr();
   this.tag('pre');

diff --git a/test/regression.txt b/test/regression.txt
@@ -95,8 +95,8 @@ Issue #116 - tabs before and after ATX closing heading
 <h1>foo</h1>
 ````````````````````````````````
 
-commonmark/CommonMark#493 - escaped space not allowed in link
-destination.
+commonmark/CommonMark#493 - escaped space not allowed in link destination.
+
 ```````````````````````````````` example
 [link](a\ b)
 .
@@ -116,3 +116,11 @@ City:
 <meta itemprop="name" content="Springfield">
 </span></p>
 ````````````````````````````````
+
+Double-encoding.
+
+```````````````````````````````` example
+[XSS](javascript&amp;colon;alert%28&#039;XSS&#039;%29)
+.
+<p><a href="javascript&amp;colon;alert('XSS')">XSS</a></p>
+````````````````````````````````