🔀 Escape attribute values when emitting static HTML. (#113)

* fix: add the escape function over custom attribute values * fix: update class and style attribute values to be escaped
author: bgw <29340584+bgwdotdev@users.noreply.github.com> 2024-04-25 19:19:15 +0100
committer: GitHub <noreply@github.com> 2024-04-25 19:19:15 +0100
commit: 93aeeb7a6316389f3bd4bbdb7a9ffc555677e719 (patch)
tree: 70d2443bf31090a320c56b1029d99c0c4bb05dd6 /test/apps
parent: 06b75022eed1e8bbed13a85cc8aeb18199040392 (diff)
download: lustre-93aeeb7a6316389f3bd4bbdb7a9ffc555677e719.tar.gz
lustre-93aeeb7a6316389f3bd4bbdb7a9ffc555677e719.zip
1 files changed, 13 insertions, 2 deletions
diff --git a/test/apps/static.gleam b/test/apps/static.gleam
index 5c6ca05..fcf52f3 100644
--- a/test/apps/static.gleam
+++ b/test/apps/static.gleam
@@ -1,8 +1,8 @@
 // IMPORTS ---------------------------------------------------------------------
 
-import lustre/attribute.{disabled, src}
+import lustre/attribute.{attribute, class, disabled, src, style}
 import lustre/element.{text}
-import lustre/element/html.{body, h1, head, html, img, input, title}
+import lustre/element/html.{body, div, h1, head, html, img, input, title}
 
 // VIEW ------------------------------------------------------------------------
 
@@ -16,3 +16,14 @@ pub fn view() {
     ]),
   ])
 }
+
+pub fn escaped_attribute() {
+  div(
+    [
+      class("'badquotes'"),
+      style([#("background", "\"><script>alert`1`</script>")]),
+      attribute("example", "{\"mykey\": \"myvalue\"}"),
+    ],
+    [],
+  )
+}
author	bgw <29340584+bgwdotdev@users.noreply.github.com>	2024-04-25 19:19:15 +0100
committer	GitHub <noreply@github.com>	2024-04-25 19:19:15 +0100
commit	93aeeb7a6316389f3bd4bbdb7a9ffc555677e719 (patch)
tree	70d2443bf31090a320c56b1029d99c0c4bb05dd6 /test/apps
parent	06b75022eed1e8bbed13a85cc8aeb18199040392 (diff)
download	lustre-93aeeb7a6316389f3bd4bbdb7a9ffc555677e719.tar.gz lustre-93aeeb7a6316389f3bd4bbdb7a9ffc555677e719.zip