Skip to content

fix: escape single quotes, raw text parsing, input validation#73

Open
dannywillems wants to merge 3 commits intomasterfrom
fix/bugs-batch
Open

fix: escape single quotes, raw text parsing, input validation#73
dannywillems wants to merge 3 commits intomasterfrom
fix/bugs-batch

Conversation

@dannywillems
Copy link
Contributor

@dannywillems dannywillems commented Feb 8, 2026

Summary

Test plan

  • 71 parser tests pass (including 5 new tokenizer + 3 new tree builder tests)
  • 13 doc tests pass
  • 11 new validation tests (#[should_panic]) for tag and attribute names
  • 2 new DOM escaping tests for single quotes
  • Clippy clean (-D warnings)

Closes #59
Closes #53
Closes #25
Closes #27

@dannywillems
fix: escape single quotes in DOM attribute rendering
ebe5ed3 
Add single-quote escaping (') to Element::render_to to prevent
XSS when attribute values contain single quotes and are later placed
in single-quoted contexts.

Closes #59
@dannywillems
fix: add raw text state for script/style/textarea/title
f3c4efa 
Add a RawText tokenizer state that prevents content inside
script, style, textarea, and title elements from being parsed
as HTML. The tokenizer now scans for the matching end tag before
resuming normal HTML parsing.

Closes #53
@dannywillems
fix: validate tag names and attribute names
26c9a67 
Add runtime validation to Element::new, attr, and bool_attr to
reject invalid tag names (must be ASCII alphanumeric + hyphens,
start with a letter) and invalid attribute names (must not contain
whitespace, quotes, angle brackets, slash, equals, or null).

Closes #25
Closes #27
@dannywillems dannywillems added the no changelog Skip changelog requirement for this PR label Feb 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no changelog Skip changelog requirement for this PR

Projects

None yet

Milestone

No milestone

1 participant

@dannywillems