addImageTitle: Fix HTML injection

This rewrite rule would change this: <img title="<foo>"> to this: <figure><img><figcaption><foo></figcaption></figure> The image title needs to be properly escaped.
author: Peter De Wachter <pdewacht@gmail.com> 2019-08-14 09:33:54 +0200
committer: Frédéric Guillot <fred@miniflux.net> 2019-08-15 21:39:41 -0700
commit: ea2b6e3608624a2a14af1956a3ad0035b7fb09f0 (patch)
tree: 693bda6a0522c069ec6cff94db9c9a9eabc82d42 /reader/rewrite/rewrite_functions.go
parent: 3a39d110f0f2a3e976df1e810a861c602a634d14 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/reader/rewrite/rewrite_functions.go b/reader/rewrite/rewrite_functions.go
index 6ce9693..667f359 100644
--- a/reader/rewrite/rewrite_functions.go
+++ b/reader/rewrite/rewrite_functions.go
@@ -6,6 +6,7 @@ package rewrite // import "miniflux.app/reader/rewrite"
 
 import (
 	"fmt"
+	"html"
 	"regexp"
 	"strings"
 
@@ -32,7 +33,7 @@ func addImageTitle(entryURL, entryContent string) string {
 			srcAttr, _ := img.Attr("src")
 			titleAttr, _ := img.Attr("title")
 
-			img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + titleAttr + `</p></figcaption></figure>`)
+			img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + html.EscapeString(titleAttr) + `</p></figcaption></figure>`)
 		})
 
 		output, _ := doc.Find("body").First().Html()
author	Peter De Wachter <pdewacht@gmail.com>	2019-08-14 09:33:54 +0200
committer	Frédéric Guillot <fred@miniflux.net>	2019-08-15 21:39:41 -0700
commit	ea2b6e3608624a2a14af1956a3ad0035b7fb09f0 (patch)
tree	693bda6a0522c069ec6cff94db9c9a9eabc82d42 /reader/rewrite/rewrite_functions.go
parent	3a39d110f0f2a3e976df1e810a861c602a634d14 (diff)