From: Etienne Massip <etienne.massip@gmail.com>
Date: Mon, 3 Oct 2011 21:45:17 +0000 (+0000)
Subject: Escape image urls in wiki formatted HTML text (#9245).
X-Git-Tag: 1.3.0~410
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f1b4a561bad1cdb449c285eb190b6ab4b1addc93;p=redmine.git

Escape image urls in wiki formatted HTML text (#9245).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7570 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb
index f4c624437..8a33943dc 100644
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@@ -938,7 +938,7 @@ class RedCloth3 < String
             stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
             htmlesc title
             atts = pba( atts )
-            atts = " src=\"#{ url }\"#{ atts }"
+            atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
             atts << " title=\"#{ title }\"" if title
             atts << " alt=\"#{ title }\"" 
             # size = @getimagesize($url);