quotations marks inside HTML attributes aren't escaped properly when merging

[MadaraUchiha]

I am using Highlight.js 9.0.0 which comes by default with reveal.js. Browser is chrome latest stable.

Given the following

<pre><code data-trim data-noescape class="typescript fragment">
// type Pick&lt;T, K extends keyof T> = {
//     [P in K]: T[P];
// }
function pick&lt;T, K extends keyof T>(obj: T, keys: K[]): Pick&lt;T, K> {
    // ...
}

const employee = {name: 'Madara', age: 125, profession: 'Developer'};
const person = pick(employee, ['name', 'age']); // {name: string, age: number}
const oops = pick(employee, <span data-title=" Type '&quot;height&quot;' is not assignable to type '&quot;name&quot; | &quot;age'&quot; | &quot;profession&quot;'.">['name', 'height']</span>)
</code></pre>

I see "Type '" in the title, looking at the DOM through the devtools it looks like highlight.js unescapes the attribute and possible inserts unescaped entities as innerHTML, the resulting DOM looks like this:

<!-- snip -->
<span data-title=" Type '"height"' .... ">...
<!-- /snip -->

Which causes the data-title attribute to end prematurely.

[Zemnmez]

the snippet you have here has the part you're saying got unescaped by hl.js already unescaped. You can see it in github's own highlight.

[joshgoebel]

@MadaraUchiha If this is still an issue could you make a https://jsfiddle.net showing the exactly issue that way we can make sure we're all talking on the same page?

[joshgoebel]

Ping.

[MadaraUchiha]

@yyyc514 Apologies, here is the reproduction case: https://jsfiddle.net/Ltrb1e8q/

See how in the HTML source, the data-title attribute is complete, but in the result DOM, it is sliced off.

Note that I did not try to reproduce this with the newer versions of Highlight.js, I used the version I reported originally.

[joshgoebel]

Note that I did not try to reproduce this with the newer versions of Highlight.js, I used the version I reported originally.

That's not helpful. I believe you that it was an issue THEN. :-) We need to know if it's still an active issue or not.

You can fork my jsfiddle if it helps:
https://jsfiddle.net/ajoshguy/a1kntyg4/

Thanks.

[joshgoebel]

Reproduction:
https://jsfiddle.net/ajoshguy/j8vhbr03/3/

Pretty sure issue is:

function attr_str(a) {return ' ' + a.nodeName + '="' + escape(a.value).replace('"', '"') + '"';}

Replace only does the replace a single time, when we need to replace ALL the quotes with " again.

[joshgoebel]

No idea about data-trim data-noescape though, those are Reveal features perhaps? But this is an actual bug so we can fix the actual bug in core and hopefully that'll help you out.