🔀 Escape attribute values when emitting static HTML. (#113)

* fix: add the escape function over custom attribute values

* fix: update class and style attribute values to be escaped

1 files changed, 28 insertions, 5 deletions

diff --git a/src/lustre/internals/vdom.gleam b/src/lustre/internals/vdom.gleam
index fc4a4a3..4930f80 100644
--- a/src/lustre/internals/vdom.gleam
+++ b/src/lustre/internals/vdom.gleam
@@ -282,10 +282,30 @@ fn attributes_to_string_builder(
         style,
         inner_html <> val,
       )
-      Ok(#("class", val)) if class == "" -> #(html, val, style, inner_html)
-      Ok(#("class", val)) -> #(html, class <> " " <> val, style, inner_html)
-      Ok(#("style", val)) if style == "" -> #(html, class, val, inner_html)
-      Ok(#("style", val)) -> #(html, class, style <> " " <> val, inner_html)
+      Ok(#("class", val)) if class == "" -> #(
+        html,
+        escape("", val),
+        style,
+        inner_html,
+      )
+      Ok(#("class", val)) -> #(
+        html,
+        class <> " " <> escape("", val),
+        style,
+        inner_html,
+      )
+      Ok(#("style", val)) if style == "" -> #(
+        html,
+        class,
+        escape("", val),
+        inner_html,
+      )
+      Ok(#("style", val)) -> #(
+        html,
+        class,
+        style <> " " <> escape("", val),
+        inner_html,
+      )
       Ok(#(key, "")) -> #(
         string_builder.append(html, " " <> key),
         class,
@@ -293,7 +313,10 @@ fn attributes_to_string_builder(
         inner_html,
       )
       Ok(#(key, val)) -> #(
-        string_builder.append(html, " " <> key <> "=\"" <> val <> "\""),
+        string_builder.append(
+          html,
+          " " <> key <> "=\"" <> escape("", val) <> "\"",
+        ),
         class,
         style,
         inner_html,