Escape attributes also

CHANGELOG.rst

@@ -5,7 +5,7 @@ History
 0.18.0 (2024-02-09)
 -------------------
 - html.escape all the attributes
-- Match link domain more precisely.
+- Match link domain more precisely
 - Image height or width can be individually specified
 
 0.16.0 (2023-03-14)

tests/data/html/embed.html

@@ -1 +1 @@
-<div class="embed-wrapper youtube-wrapper"><figure><iframe width="480" height="270" src="https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed" frameborder="0"  allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe><figcaption>Extraction</figcaption></figure></div>
+<div class="embed-wrapper youtube-wrapper"><figure><iframe width="480" height="270" src="https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe><figcaption>Extraction</figcaption></figure></div>

tests/data/json/embed.json

@@ -13,8 +13,8 @@
         "thumbnail_height": 234,
         "caption": "Extraction",
         "provider": "Youtube",
-        "html": "<iframe width=\"480\" height=\"270\" src=\"https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed\" frameborder=\"0\"  allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>"
+        "html": "<iframe width=\"480\" height=\"270\" src=\"https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>"
       }
     }
-   ]
+  ]
 }

tiptapy/__init__.py

@@ -43,15 +43,22 @@ def _get_abs_template_path(path_str):
     return os.path.join(pkg_dir, path_str)
 
 
-def escape_values_recursive(node):
-    skip_key = "html"  # Skip escaping html values in embeds
+def excape_values_recursive(node):
+    # Skip the html key in the node, as it is used to render the html
+    # and should not be escaped. Users should clean the html before
+    # passing it to the renderer.
+    skip_key = "html"
+
     if isinstance(node, dict):
         for k, v in node.items():
-            if k != skip_key:
-                node[k] = escape_values_recursive(v)
+            esc_k = escape(k)
+            if k != esc_k:
+                del node[k]
+            if esc_k != skip_key:
+                node[esc_k] = excape_values_recursive(v)
     elif isinstance(node, list):
         for i, v in enumerate(node):
-            node[i] = escape_values_recursive(v)
+            node[i] = excape_values_recursive(v)
     elif isinstance(node, str):
         return escape(node)
     return node
@@ -76,5 +83,5 @@ def __init__(self, config):
     def render(self, in_data):
         in_data = in_data if isinstance(in_data, dict) else json.loads(in_data)
         node = in_data if isinstance(in_data, dict) else json.loads(in_data)
-        node = escape_values_recursive(node)
+        node = excape_values_recursive(node)
         return self.t.render(node=node)