From 1349ece88309f86c493aab3f3e5d74f6982bef2b Mon Sep 17 00:00:00 2001
From: Alexey Pyltsyn <lex61rus@gmail.com>
Date: Thu, 3 Jun 2021 15:52:13 +0300
Subject: [PATCH] fix(v2): escape HTML entities in user tags attributes (#4894)

---
 packages/docusaurus/package.json                             | 1 +
 .../src/server/html-tags/__tests__/htmlTags.test.ts          | 5 +++--
 packages/docusaurus/src/server/html-tags/htmlTags.ts         | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/docusaurus/package.json b/packages/docusaurus/package.json
index 805b773dd5..3cf1e51e9d 100644
--- a/packages/docusaurus/package.json
+++ b/packages/docusaurus/package.json
@@ -69,6 +69,7 @@
     "cssnano": "^5.0.4",
     "del": "^6.0.0",
     "detect-port": "^1.3.0",
+    "escape-html": "^1.0.3",
     "eta": "^1.12.1",
     "express": "^4.17.1",
     "file-loader": "^6.2.0",
diff --git a/packages/docusaurus/src/server/html-tags/__tests__/htmlTags.test.ts b/packages/docusaurus/src/server/html-tags/__tests__/htmlTags.test.ts
index 7d3b34e5f7..34e7017e99 100644
--- a/packages/docusaurus/src/server/html-tags/__tests__/htmlTags.test.ts
+++ b/packages/docusaurus/src/server/html-tags/__tests__/htmlTags.test.ts
@@ -8,7 +8,7 @@
 import htmlTagObjectToString from '../htmlTags';
 
 describe('htmlTagObjectToString', () => {
-  test('simple html tag', () => {
+  test('valid html tag', () => {
     expect(
       htmlTagObjectToString({
         tagName: 'script',
@@ -17,10 +17,11 @@ describe('htmlTagObjectToString', () => {
           src:
             'https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js',
           async: true,
+          'data-options': '{"prop":true}',
         },
       }),
     ).toMatchInlineSnapshot(
-      `"<script type=\\"text/javascript\\" src=\\"https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js\\" async></script>"`,
+      `"<script type=\\"text/javascript\\" src=\\"https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js\\" async data-options=\\"{&quot;prop&quot;:true}\\"></script>"`,
     );
 
     expect(
diff --git a/packages/docusaurus/src/server/html-tags/htmlTags.ts b/packages/docusaurus/src/server/html-tags/htmlTags.ts
index c96779375c..8033ef42ae 100644
--- a/packages/docusaurus/src/server/html-tags/htmlTags.ts
+++ b/packages/docusaurus/src/server/html-tags/htmlTags.ts
@@ -9,6 +9,7 @@ import {isPlainObject} from 'lodash';
 import {HtmlTagObject} from '@docusaurus/types';
 import htmlTags from 'html-tags';
 import voidHtmlTags from 'html-tags/void';
+import escapeHTML from 'escape-html';
 
 function assertIsHtmlTagObject(val: unknown): asserts val is HtmlTagObject {
   if (!isPlainObject(val)) {
@@ -41,7 +42,7 @@ export default function htmlTagObjectToString(tagDefinition: unknown): string {
       if (tagAttributes[attributeName] === true) {
         return attributeName;
       }
-      return `${attributeName}="${tagAttributes[attributeName]}"`;
+      return `${attributeName}="${escapeHTML(tagAttributes[attributeName])}"`;
     });
   return `<${[tagDefinition.tagName].concat(attributes).join(' ')}>${
     (!isVoidTag && tagDefinition.innerHTML) || ''