Unsafe HTML hijacking

[gdh1995]

Describe the bug

Viewer.js create its image list using ".alt" directly, but the "alt" attribute may include '"' characters and then cause potential hijacking:

viewerjs/src/js/render.js

Lines 71 to 90 in de9a4cf

	const alt = image.alt || getImageNameFromURL(src);
	let { url } = options;
	if (isString(url)) {
	url = image.getAttribute(url);
	} else if (isFunction(url)) {
	url = url.call(this, image);
	}
	if (src || url) {
	items.push('<li>'
	+ '<img'
	+ ` src="${src || url}"`
	+ ' role="button"'
	+ ' data-viewer-action="view"'
	+ ` data-index="${i}"`
	+ ` data-original-url="${url || src}"`
	+ ` alt="${alt}"`
	+ '>'
	+ '</li>');

I think an escaping of "alt" is needed here, and it's also beneficial to escape "src" and "url".

To Reproduce
Steps to reproduce the behavior:

1. create an <img> and set `image.alt = 'a">nihao'
2. activate Viewer.js on the image element
3. in the .viewer-list DOM node, there will be a text node of nihao">

Expected behavior

The "alt" attribute can be a real a">nihao.

Screenshots

Desktop:

• OS: Windows 10 x64
• Browser: chrome 73
• Version: 73, stable x64

Additional context

I have a Chrome extension Vimium C and it provides a command "LinkHints.activateModeToOpenImage" to open a new tab to display an arbitrary image. So I've used Viewer.js for years to provide moving and zooming functionalities.

Therefore, in my use case, all of image source URLs and "alt" text are from common web pages - they should not be "trusted" to be reliable and safe to create HTML. I once used JavaScript to create HTMLImageElement and then set ".alt = ...", but today I find Viewer.js does not. I think this is a bug causing potential HTML hijacking.