🔀 Escape attribute values when emitting static HTML. (#113)

* fix: add the escape function over custom attribute values

* fix: update class and style attribute values to be escaped

2 files changed, 19 insertions, 2 deletions

diff --git a/test/apps/static.gleam b/test/apps/static.gleam
index 5c6ca05..fcf52f3 100644
--- a/test/apps/static.gleam
+++ b/test/apps/static.gleam
@@ -1,8 +1,8 @@
 // IMPORTS ---------------------------------------------------------------------
 
-import lustre/attribute.{disabled, src}
+import lustre/attribute.{attribute, class, disabled, src, style}
 import lustre/element.{text}
-import lustre/element/html.{body, h1, head, html, img, input, title}
+import lustre/element/html.{body, div, h1, head, html, img, input, title}
 
 // VIEW ------------------------------------------------------------------------
 
@@ -16,3 +16,14 @@ pub fn view() {
     ]),
   ])
 }
+
+pub fn escaped_attribute() {
+  div(
+    [
+      class("'badquotes'"),
+      style([#("background", "\"><script>alert`1`</script>")]),
+      attribute("example", "{\"mykey\": \"myvalue\"}"),
+    ],
+    [],
+  )
+}
diff --git a/test/lustre_test.gleam b/test/lustre_test.gleam
index f3a2993..6cd93c3 100644
--- a/test/lustre_test.gleam
+++ b/test/lustre_test.gleam
@@ -149,3 +149,9 @@ pub fn fragment_counter_diff_test() {
   birdie.snap(json.to_string(patch.element_diff_to_json(diff)), title)
   process.send(runtime, Shutdown)
 }
+
+pub fn escaped_attribute_test() {
+  let title = "Can safely escape dangerous symbols in attributes"
+  let el = static.escaped_attribute()
+  birdie.snap(element.to_string(el), title)
+}