seanbeaton
commented
6 years ago We're having this same issue, but with JS. We're already escaping the alt tag's content before it's added to the page with JS, but we want the content of the alt tag to be readable (and we don't want to double-escape its content). Also, we don't need to use JS inside the tag for things like Like buttons and such.
I've created a pull request that adds a setting escapeCaptionMarkup to the settings array. It defaults to false, but setting it to true will use a different method of adding the caption text that doesn't run JS.
Just as a note to why this addition is important - sometimes we we're allowing user content in the alt attribute, making this an XSS risk.
As of now, the default setting keeps the current functionality (no filtering), but it may be worth looking at having the default be safer and use the
trueor'lenient'option to guard against accidental XSS vulnerabilities. This would change functionality for people intentionally using JS in their captions (for like buttons and such), so it would need to be a separate version with documentation of the change for anyone upgrading.
I've covered the reasons for this in the closed task #47.
I'll copy-paste my comments below. There's also a pull request for this, #264.