FIX: escapehtml title attribute (#370)

FIX: escapehtml title attribute (#370)

diff --git a/lib/onebox/helpers.rb b/lib/onebox/helpers.rb
index cdcbc6b..a6e03a0 100644
--- a/lib/onebox/helpers.rb
+++ b/lib/onebox/helpers.rb
@@ -173,8 +173,7 @@ module Onebox
     end
 
     def self.title_attr(meta)
-      title = meta[:title].gsub("'", "'").gsub('"', """)
-      (meta && !blank?(title)) ? "title='#{title}'" : ""
+      (meta && !blank?(meta[:title])) ? "title='#{CGI::escapeHTML(meta[:title])}'" : ""
     end
 
     def self.normalize_url_for_output(url)

GitHub sha: e1e0b3c6