From 31f3c80f5e79bc71fbc999a33645629094acbf26 Mon Sep 17 00:00:00 2001
From: Antonio Pitasi <antonio@pitasi.dev>
Date: Sat, 9 Sep 2023 20:02:05 +0200
Subject: [PATCH] add html attribute escaping

---
 rscx-macros/Cargo.toml |  1 +
 rscx-macros/src/lib.rs | 12 ++++++++++--
 rscx/Cargo.toml        |  1 +
 rscx/src/lib.rs        |  2 ++
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/rscx-macros/Cargo.toml b/rscx-macros/Cargo.toml
index ca8b098..676432d 100644
--- a/rscx-macros/Cargo.toml
+++ b/rscx-macros/Cargo.toml
@@ -15,6 +15,7 @@ proc-macro = true
 
 [dependencies]
 convert_case = "0.6.0"
+html-escape = "0.2.13"
 proc-macro2 = "1.0.66"
 proc-macro2-diagnostics = "0.10.1"
 quote = "1.0.33"
diff --git a/rscx-macros/src/lib.rs b/rscx-macros/src/lib.rs
index dc49102..700ff80 100644
--- a/rscx-macros/src/lib.rs
+++ b/rscx-macros/src/lib.rs
@@ -145,7 +145,11 @@ fn walk_nodes<'a>(empty_elements: &HashSet<&str>, nodes: &'a Vec<Node>) -> WalkN
                                 // If the nodes parent is an attribute we prefix with whitespace
                                 out.static_format.push(' ');
                                 out.static_format.push_str("{}");
-                                out.values.push(block.to_token_stream());
+                                out.values.push(quote! {{
+                                   ::rscx::html_escape::encode_double_quoted_attribute(
+                                        (#block).as_str()
+                                    )
+                                }});
                             }
                             NodeAttribute::Attribute(attribute) => {
                                 let key = match attribute.key.to_string().as_str() {
@@ -155,7 +159,11 @@ fn walk_nodes<'a>(empty_elements: &HashSet<&str>, nodes: &'a Vec<Node>) -> WalkN
                                 out.static_format.push_str(&format!(" {}", key));
                                 if let Some(value) = attribute.value() {
                                     out.static_format.push_str(r#"="{}""#);
-                                    out.values.push(value.to_token_stream());
+                                    out.values.push(quote! {
+                                       ::rscx::html_escape::encode_unquoted_attribute(
+                                            &format!("{}", #value)
+                                        )
+                                    });
                                 }
                             }
                         }
diff --git a/rscx/Cargo.toml b/rscx/Cargo.toml
index cd48558..aa9a0cc 100644
--- a/rscx/Cargo.toml
+++ b/rscx/Cargo.toml
@@ -12,6 +12,7 @@ readme = "../README.md"
 
 [dependencies]
 axum = { version = "0.6.20", features = ["macros"], optional = true }
+html-escape = "0.2.13"
 rscx-macros = { workspace = true }
 tokio = { version = "1.32.0", features = ["full"] }
 tokio-util = { version = "0.7.8", features = ["rt"], optional = true }
diff --git a/rscx/src/lib.rs b/rscx/src/lib.rs
index c0a2cd5..8692416 100644
--- a/rscx/src/lib.rs
+++ b/rscx/src/lib.rs
@@ -7,6 +7,8 @@ pub use rscx_macros::*;
 
 pub extern crate typed_builder;
 
+pub extern crate html_escape;
+
 pub trait CollectFragment<I>
 where
     I: Iterator,