Fixed escaping of alt text in ContentFormat.img() (#2036)

bmispelon · web-flow · commit 253cc2a4499c · 2025-05-30T23:32:30.000+01:00
* Fixed escaping of alt text in ContentFormat.img()

* Simpler approach
diff --git a/blog/models.py b/blog/models.py
@@ -8,6 +8,7 @@
 from django.utils import timezone
 from django.utils.cache import _generate_cache_header_key
 from django.utils.formats import date_format
+from django.utils.html import format_html
 from django.utils.translation import gettext_lazy as _
 from django_hosts.resolvers import get_host, reverse, reverse_host
 from docutils.core import publish_parts
@@ -73,7 +74,7 @@ def img(self, url, alt_text):
         CF = type(self)
         return {
             CF.REST: f".. image:: {url}\n   :alt: {alt_text}",
-            CF.HTML: f'<img src="{url}" alt="{alt_text}">',
+            CF.HTML: format_html('<img src="{}" alt="{}">', url, alt_text),
             CF.MARKDOWN: f"![{alt_text}]({url})",
         }[self]
 
diff --git a/blog/tests.py b/blog/tests.py
@@ -297,3 +297,43 @@ def test_full_url(self):
             r"http://www\.djangoproject\.localhost:8000"
             r"/m/blog/images/2005/07/test(_\w+)?\.png",
         )
+
+    def test_alt_text_html_escape(self):
+        testdata = [
+            (ContentFormat.HTML, 'te"st', '<img src="." alt="te&quot;st">'),
+            (ContentFormat.HTML, "te<st>", '<img src="." alt="te&lt;st&gt;">'),
+            (ContentFormat.MARKDOWN, 'te"st', '<img src="." alt="te&quot;st">'),
+            (ContentFormat.MARKDOWN, "te[st]", '<img src="." alt="te[st]">'),
+            (ContentFormat.MARKDOWN, "te{st}", '<img src="." alt="te{st}">'),
+            (ContentFormat.MARKDOWN, "te<st>", '<img src="." alt="te&lt;st&gt;">'),
+            (ContentFormat.MARKDOWN, "test*", '<img src="." alt="test*">'),
+            (ContentFormat.MARKDOWN, "test_", '<img src="." alt="test_">'),
+            (ContentFormat.MARKDOWN, "test`", '<img src="." alt="test`">'),
+            (ContentFormat.MARKDOWN, "test+", '<img src="." alt="test+">'),
+            (ContentFormat.MARKDOWN, "test-", '<img src="." alt="test-">'),
+            (ContentFormat.MARKDOWN, "test.", '<img src="." alt="test.">'),
+            (ContentFormat.MARKDOWN, "test!", '<img src="." alt="test!">'),
+            (ContentFormat.MARKDOWN, "te\nst", '<img src="." alt="te\nst">'),
+            (ContentFormat.REST, 'te"st', '<img src="." alt="te&quot;st">'),
+            (ContentFormat.REST, "te[st]", '<img src="." alt="te[st]">'),
+            (ContentFormat.REST, "te{st}", '<img src="." alt="te{st}">'),
+            (ContentFormat.REST, "te<st>", '<img src="." alt="te&lt;st&gt;">'),
+            (ContentFormat.REST, "te:st", '<img src="." alt="te:st">'),
+            (ContentFormat.REST, "test*", '<img src="." alt="test*">'),
+            (ContentFormat.REST, "test_", '<img src="." alt="test_">'),
+            (ContentFormat.REST, "test`", '<img src="." alt="test`">'),
+            (ContentFormat.REST, "test+", '<img src="." alt="test+">'),
+            (ContentFormat.REST, "test-", '<img src="." alt="test-">'),
+            (ContentFormat.REST, "test.", '<img src="." alt="test.">'),
+            (ContentFormat.REST, "test!", '<img src="." alt="test!">'),
+        ]
+        for cf, alt_text, expected in testdata:
+            # RST doesn't like an empty src, so we use . instead
+            img_tag = cf.img(url=".", alt_text=alt_text)
+            if cf is ContentFormat.MARKDOWN:
+                expected = f"<p>{expected}</p>"
+            with self.subTest(cf=cf, alt_text=alt_text):
+                self.assertHTMLEqual(
+                    ContentFormat.to_html(cf, img_tag),
+                    expected,
+                )
