Escape, don't sanitise alt text in ImageLinkFilter

Asherah Connorrequested to merge
push-rrvzntvovqmk into master

What does this MR do and why?

https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2661 made the decision to sanitise the contents of the alt/data-src/src attribute in ImageLinkFilter.

The content isn't HTML, and we shouldn't treat it as such — treat it as the text it is. Otherwise we get a kind of weird lossy effect (if the alt text was say <hello> it gets sanitised to say , and if it was just <hello> it's ignored and we move onto data-src), and there's no reason for this at all: just display the text by escaping it in an HTML context.

The specs were also written in a way that's hard to get right; substituting text into HTML or attributes rarely goes well. Construct tags correctly so we can be confident.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Asherah Connor

Merge request reports