fix: escape entities in attributes (#17)

Closes #16
bpmn-io · Oct 1, 2024 · 0726866 · 0726866
1 parent 6e58ad1
commit 0726866
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ All notable changes to [tiny-svg](https://github.com/bpmn-io/tiny-svg) are docum
 
 ___Note:__ Yet to be released changes appear here._
 
+## 3.1.3
+
+* `FIX`: escape entities in attributes ([#16](https://github.com/bpmn-io/tiny-svg/issues/16))
+
 ## 3.1.2
 
 * `CHORE`: standalone `clear` implementation

diff --git a/lib/util/serialize.js b/lib/util/serialize.js
@@ -3,7 +3,7 @@
  */
 
 var TEXT_ENTITIES = /([&<>]{1})/g;
-var ATTR_ENTITIES = /([\n\r"]{1})/g;
+var ATTR_ENTITIES = /([&<>\n\r"]{1})/g;
 
 var ENTITY_REPLACEMENT = {
   '&': '&amp;',

diff --git a/test/spec/innerSVG.js b/test/spec/innerSVG.js
@@ -218,6 +218,41 @@ describe('inner-svg', function() {
       expect(svg).to.eql(text);
     });
 
+
+    it('should escape <> in attributes', function() {
+
+      // given
+      var container = createContainer();
+      var element = appendTo(create('svg'), container);
+
+      var text = '<g><rect data-foo="1 &lt;&gt; 2"/></g>';
+
+      innerSVG(element, text);
+
+      // when
+      var svg = innerSVG(element);
+
+      // then
+      expect(svg).to.eql(text);
+    });
+
+
+    it('should escape & in attributes', function() {
+
+      // given
+      var container = createContainer();
+      var element = appendTo(create('svg'), container);
+
+      var text = '<g><rect data-foo="1 &amp; 2"/></g>';
+
+      innerSVG(element, text);
+
+      // when
+      var svg = innerSVG(element);
+
+      // then
+      expect(svg).to.eql(text);
+    });
   });
 
 });