fix: html in attribute not escaped

Scrum · Scrum · commit acbb19bbbf47 · 2020-11-11T18:03:29.000+03:00
diff --git a/src/core/render/tpl.js b/src/core/render/tpl.js
@@ -1,3 +1,5 @@
+import { escapeHtml } from './utils';
+
 /**
  * Render github corner
  * @param  {Object} data URL for the View Source on Github link
@@ -91,7 +93,9 @@ export function tree(toc, tpl = '<ul class="app-sub-sidebar">{inner}</ul>') {
 
   let innerHTML = '';
   toc.forEach(node => {
-    innerHTML += `<li><a class="section-link" href="${node.slug}" title="${node.title}">${node.title}</a></li>`;
+    innerHTML += `<li><a class="section-link" href="${
+      node.slug
+    }" title="${escapeHtml(node.title)}">${node.title}</a></li>`;
     if (node.children) {
       innerHTML += tree(node.children, tpl);
     }
