From c39670e0942fabe0af97c5a5e135aa5e75ffd4e4 Mon Sep 17 00:00:00 2001
From: Tom Yeh <tomyeh@potix.com>
Date: Fri, 23 Feb 2024 10:07:11 +0800
Subject: [PATCH] Fix #586: encode image tag's src attribute

---
 lib/src/inline_syntaxes/image_syntax.dart | 4 +++-
 test/original/inline_images.unit          | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/src/inline_syntaxes/image_syntax.dart b/lib/src/inline_syntaxes/image_syntax.dart
index 5d36e582..a8b2c358 100644
--- a/lib/src/inline_syntaxes/image_syntax.dart
+++ b/lib/src/inline_syntaxes/image_syntax.dart
@@ -24,7 +24,9 @@ class ImageSyntax extends LinkSyntax {
   }) {
     final element = Element.empty('img');
     final children = getChildren();
-    element.attributes['src'] = destination;
+    element.attributes['src'] = normalizeLinkDestination(
+      escapePunctuation(destination),
+    );
     element.attributes['alt'] = children.map((node) {
       // See https://spec.commonmark.org/0.30/#image-description.
       // An image description may contain links. Fetch text from the alt
diff --git a/test/original/inline_images.unit b/test/original/inline_images.unit
index 5e38830e..9e582646 100644
--- a/test/original/inline_images.unit
+++ b/test/original/inline_images.unit
@@ -18,3 +18,8 @@
 
 <<<
 <p><img src="http://foo.com/foo.png" alt="alt" /></p>
+>>> XSS
+![Uh oh...]("onerror="alert('XSS'))
+
+<<<
+<p><img src="%22onerror=%22alert('XSS')" alt="Uh oh..." /></p>
\ No newline at end of file