From 26a2c746d320ba9a5b1ba0326a340fcd6f3f970f Mon Sep 17 00:00:00 2001
From: Yukai Huang <yukaihuangtw@gmail.com>
Date: Mon, 21 Dec 2020 14:10:03 +0800
Subject: [PATCH] Escape attributes in lightbox image

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
---
 public/js/lib/renderer/lightbox/index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/public/js/lib/renderer/lightbox/index.js b/public/js/lib/renderer/lightbox/index.js
index 3619e0ae..e46e0a14 100644
--- a/public/js/lib/renderer/lightbox/index.js
+++ b/public/js/lib/renderer/lightbox/index.js
@@ -1,4 +1,5 @@
 import './lightbox.css'
+import escape from 'lodash/escape'
 
 let images = []
 /** @type {HTMLImageElement} */
@@ -74,7 +75,7 @@ function setImageInner (img, lightBoxContainer) {
   const src = img.getAttribute('src')
   const alt = img.getAttribute('alt')
 
-  lightBoxContainer.querySelector('.lightbox-inner').innerHTML = `<img src="${src}" alt="${alt}" draggable="false">`
+  lightBoxContainer.querySelector('.lightbox-inner').innerHTML = `<img src="${escape(src)}" alt="${escape(alt)}" draggable="false">`
   addImageDragListener(lightBoxContainer.querySelector('.lightbox-inner img'))
 }