Merge pull request #22 from luikore/master

fix(index): escape double quotes in html attributes

Author: Scrum

lib/index.js

@@ -127,11 +127,10 @@ function attrs (obj) {
   for (var key in obj) {
     if (typeof obj[key] === 'boolean' && obj[key]) {
       attr += ' ' + key
-    } else if (
-      typeof obj[key] === 'string' ||
-      typeof obj[key] === 'number'
-    ) {
+    } else if (typeof obj[key] === 'number') {
       attr += ' ' + key + '="' + obj[key] + '"'
+    } else if (typeof obj[key] === 'string') {
+      attr += ' ' + key + '="' + obj[key].replace(/"/g, '"') + '"'
     }
   }
 

test/render.test.js

@@ -103,6 +103,17 @@ describe('PostHTML Render', function () {
 
       expect(render(fixture)).to.eql(expected)
     })
+
+    it('{String} (double quotes)', function () {
+      var fixture = {
+        attrs: {
+          onclick: 'alert("hello world")'
+        }
+      }
+      var expected = '<div onclick="alert(&quot;hello world&quot;)"></div>'
+
+      expect(render(fixture)).to.eql(expected)
+    })
   })
 
   describe('Content', function () {