Escape values of HTML attributes

Escape values of HTML attributes

diff --git a/lib/discourse_diff.rb b/lib/discourse_diff.rb
index cdf3787..3887abe 100644
--- a/lib/discourse_diff.rb
+++ b/lib/discourse_diff.rb
@@ -256,7 +256,7 @@ class DiscourseDiff
     USELESS_TAGS = %w{html body}
     def start_element(name, attributes = [])
       return if USELESS_TAGS.include?(name)
-      attrs = attributes.map { |a| " #{a[0]}=\"#{a[1]}\"" }.join
+      attrs = attributes.map { |a| " #{a[0]}=\"#{CGI::escapeHTML(a[1])}\"" }.join
       @tokens << "<#{name}#{attrs}>"
     end
 
diff --git a/spec/components/discourse_diff_spec.rb b/spec/components/discourse_diff_spec.rb
index d8683de..7f7d61e 100644
--- a/spec/components/discourse_diff_spec.rb
+++ b/spec/components/discourse_diff_spec.rb
@@ -107,6 +107,11 @@ describe DiscourseDiff do
       expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p><del>&#39;</del></p></div><div class=\"revision-content\"><p></p></div>")
     end
 
+    it "escapes attribute values" do
+      before = "<p data-attr='Some \"quoted\" string'></p>"
+      after = "<p data-attr='Some \"quoted\" string'></p>"
+      expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div><div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div>")
+    end
   end
 
   describe "side_by_side_markdown" do

GitHub sha: d54b3398096a44172a72baeb542c3a36dd7280c0

This commit appears in #13996 which was approved by eviltrout. It was merged by eviltrout.