markup/goldmark: Escape image alt attribute

Fixes #9594

diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go
index 16705ad62903fb714be6df70db3ef798a65712cd..89cd5bbb64464964d6c805c73debed7a0af26cc2 100644 (file)
--- a/markup/goldmark/integration_test.go
+++ b/markup/goldmark/integration_test.go
@@ -394,3 +394,32 @@ FENCE
                builders[i].Build()
        }
 }
+
+// Issue 9594
+func TestQuotesInImgAltAttr(t *testing.T) {
+       t.Parallel()
+
+       files := `
+-- config.toml --
+[markup.goldmark.extensions]
+  typographer = false
+-- content/p1.md --
+---
+title: "p1"
+---
+!["a"](b.jpg)
+-- layouts/_default/single.html --
+{{ .Content }}
+`
+
+       b := hugolib.NewIntegrationTestBuilder(
+               hugolib.IntegrationTestConfig{
+                       T:           t,
+                       TxtarString: files,
+               },
+       ).Build()
+
+       b.AssertFileContent("public/p1/index.html", `
+               <img src="b.jpg" alt="&quot;a&quot;">
+       `)
+}

diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go
index d5e35380a11bf00fc177199bee9a9c7759e6597c..138a60d263b06fd079c34c0e6b5f23fb87bba805 100644 (file)
--- a/markup/goldmark/render_hooks.go
+++ b/markup/goldmark/render_hooks.go
@@ -175,7 +175,7 @@ func (r *hookedRenderer) renderImageDefault(w util.BufWriter, source []byte, nod
                _, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
        }
        _, _ = w.WriteString(`" alt="`)
-       _, _ = w.Write(n.Text(source))
+       _, _ = w.Write(util.EscapeHTML(n.Text(source)))
        _ = w.WriteByte('"')
        if n.Title != nil {
                _, _ = w.WriteString(` title="`)