Closed ekuiter closed 3 years ago
Hey @ekuiter !
Thanks for creating this issue. I can confirm it - minimal reproduction is as simple as creating a new site from blog starter and adding title
(with a "
character) to Image
component inside bio.js
.
Hiya!
This issue has gone quiet. Spooky quiet. π»
We get a lot of issues, so we currently close issues after 30 days of inactivity. Itβs been at least 20 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open! As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!
Thanks for being a part of the Gatsby community! πͺπ
This is fixed in gatsby-plugin-image
Description
In https://github.com/gatsbyjs/gatsby/blob/3666917d7218433e0ae0adde6bd024e358e83ba0/packages/gatsby-image/src/index.js#L233, the noscriptImg function (which is responsible for displaying images when JavaScript is disabled) uses string interpolation to inject the passed props:
https://github.com/gatsbyjs/gatsby/blob/3666917d7218433e0ae0adde6bd024e358e83ba0/packages/gatsby-image/src/index.js#L239
This fails whenever one of the props contains double quotes, or more precisely, it causes the browser to fail parsing such attributes.
Steps to reproduce
Create two Imgs as follows:
Run
gatsby build
, view in a browser and disable JavaScript. In the delivered HTML, we have ...... which will obviously fail to parse in the browser. Firefox, for example, interprets the second Img as follows in the DOM:
Expected result
Props given to Img, such as
title
in the example above, should be properly escaped. For example, we could havetitle=""MyTitle""
in the delivered HTML instead.Actual result
Browsers trip over all affected attributes. In my case (latest Firefox), the attribute is silently ignored.
Environment