From e46e9ceb29581de3a32c8155f7cfd58ab59b2b8f Mon Sep 17 00:00:00 2001
From: Joe Mooring <joe.mooring@veriphor.com>
Date: Wed, 2 Mar 2022 09:30:57 -0800
Subject: markup/goldmark: Escape image alt attribute

Fixes #9594
---
 markup/goldmark/integration_test.go | 29 +++++++++++++++++++++++++++++
 markup/goldmark/render_hooks.go     |  2 +-
 2 files changed, 30 insertions(+), 1 deletion(-)

(limited to 'markup')

diff --git a/markup/goldmark/integration_test.go b/markup/goldmark/integration_test.go
index 16705ad62..89cd5bbb6 100644
--- a/markup/goldmark/integration_test.go
+++ b/markup/goldmark/integration_test.go
@@ -394,3 +394,32 @@ FENCE
 		builders[i].Build()
 	}
 }
+
+// Issue 9594
+func TestQuotesInImgAltAttr(t *testing.T) {
+	t.Parallel()
+
+	files := `
+-- config.toml --
+[markup.goldmark.extensions]
+  typographer = false
+-- content/p1.md --
+---
+title: "p1"
+---
+!["a"](b.jpg)
+-- layouts/_default/single.html --
+{{ .Content }}
+`
+
+	b := hugolib.NewIntegrationTestBuilder(
+		hugolib.IntegrationTestConfig{
+			T:           t,
+			TxtarString: files,
+		},
+	).Build()
+
+	b.AssertFileContent("public/p1/index.html", `
+		<img src="b.jpg" alt="&quot;a&quot;">
+	`)
+}
diff --git a/markup/goldmark/render_hooks.go b/markup/goldmark/render_hooks.go
index d5e35380a..138a60d26 100644
--- a/markup/goldmark/render_hooks.go
+++ b/markup/goldmark/render_hooks.go
@@ -175,7 +175,7 @@ func (r *hookedRenderer) renderImageDefault(w util.BufWriter, source []byte, nod
 		_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
 	}
 	_, _ = w.WriteString(`" alt="`)
-	_, _ = w.Write(n.Text(source))
+	_, _ = w.Write(util.EscapeHTML(n.Text(source)))
 	_ = w.WriteByte('"')
 	if n.Title != nil {
 		_, _ = w.WriteString(` title="`)
-- 
cgit v1.2.3