Escape attributes

josevalim · josevalim · commit 26a96dd3cb87 · 2025-09-09T08:25:49.000+02:00
diff --git a/lib/ex_doc/doc_ast.ex b/lib/ex_doc/doc_ast.ex
@@ -62,7 +62,7 @@ defmodule ExDoc.DocAST do
   end
 
   defp ast_attributes_to_string(attrs) do
-    Enum.map(attrs, fn {key, val} -> " #{key}=\"#{val}\"" end)
+    Enum.map(attrs, fn {key, val} -> " #{key}=\"#{ExDoc.Utils.h(val)}\"" end)
   end
 
   ## parse markdown
diff --git a/lib/ex_doc/formatter/epub/templates/module_template.eex b/lib/ex_doc/formatter/epub/templates/module_template.eex
@@ -25,7 +25,7 @@
     <%= for group <- module.docs_groups, key = text_to_id(group.title) do %>
       <section id="<%= key %>" class="details-list">
         <h1 class="section-heading"><%=h to_string(group.title) %></h1>
-        <%= if doc = group.doc  do %>
+        <%= if doc = group.doc do %>
           <div class="group-description" id="group-description-<%= key %>">
             <%= render_doc(doc) %>
           </div>
diff --git a/lib/ex_doc/formatter/html/templates.ex b/lib/ex_doc/formatter/html/templates.ex
@@ -40,7 +40,7 @@ defmodule ExDoc.Formatter.HTML.Templates do
   def module_type(%{type: :module}), do: ""
   def module_type(%{type: type}), do: "<small>#{type}</small>"
 
-  defp enc(binary), do: URI.encode(binary)
+  defp enc(binary), do: ExDoc.Utils.h(URI.encode(binary))
 
   @doc """
   Create a JS object which holds all the items displayed in the sidebar area
diff --git a/lib/ex_doc/formatter/html/templates/summary_template.eex b/lib/ex_doc/formatter/html/templates/summary_template.eex
@@ -1,13 +1,13 @@
 <div class="summary-<%= text_to_id(name) %> summary">
   <h2>
-    <a href="#<%= text_to_id(name) %>"><%= name %></a>
+    <a href="#<%=h text_to_id(name) %>"><%= name %></a>
   </h2>
   <%= for node <- nodes do %>
     <div class="summary-row">
       <div class="summary-signature">
         <a href="#<%=enc node.id %>" data-no-tooltip="" translate="no"><%=h node.signature %></a>
         <%= if deprecated = node.deprecated do %>
-          <span class="deprecated" title="<%= h(deprecated) %>">deprecated</span>
+          <span class="deprecated" title="<%=h deprecated %>">deprecated</span>
         <% end %>
       </div>
       <%= if doc = node.doc do %>
diff --git a/test/ex_doc/language/elixir_test.exs b/test/ex_doc/language/elixir_test.exs
@@ -128,7 +128,7 @@ defmodule ExDoc.Language.ElixirTest do
                ~s|<a href="https://hexdocs.pm/elixir/Kernel.html#+/2"><code class="inline">+/2</code></a>|
 
       assert autolink_doc("`&/1`") ==
-               ~s|<a href="https://hexdocs.pm/elixir/Kernel.SpecialForms.html#&/1"><code class="inline">&amp;/1</code></a>|
+               ~s|<a href="https://hexdocs.pm/elixir/Kernel.SpecialForms.html#&amp;/1"><code class="inline">&amp;/1</code></a>|
 
       assert autolink_doc("`for/1`") ==
                ~s|<a href="https://hexdocs.pm/elixir/Kernel.SpecialForms.html#for/1"><code class="inline">for/1</code></a>|
