From 6ddcbb948ef7e7f8eb9ad35f936e00ce4f2df3d0 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Wed, 23 Jun 2021 09:32:58 +0530
Subject: [PATCH] guard against markdown images with double-quotes in their
 href

---
 www/common/diffMarked.js | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/www/common/diffMarked.js b/www/common/diffMarked.js
index cb95f37aa..6be2f0e7c 100644
--- a/www/common/diffMarked.js
+++ b/www/common/diffMarked.js
@@ -267,7 +267,7 @@ define([
     };
 
     renderer.image = function (href, title, text) {
-        if (href.slice(0,6) === '/file/') {
+        if (href.slice(0,6) === '/file/') { // XXX this has been deprecated for about 3 years... use the same inline image handler as below?
             // DEPRECATED
             // Mediatag using markdown syntax should not be used anymore so they don't support
             // password-protected files
@@ -283,12 +283,14 @@ define([
             mt += '</media-tag>';
             return mt;
         }
-        var out = '<img src="' + href + '" alt="' + text + '"';
-        if (title) {
-            out += ' title="' + title + '"';
-        }
-        out += this.options.xhtml ? '/>' : '>';
-        return out;
+
+        var img = h('img.cp-inline-img', {
+            src: href || '',
+            title: title || '',
+            alt: text || '',
+        });
+
+        return img.outerHTML;
     };
     restrictedRenderer.image = renderer.image;