From fd462c8717fb7d532f803d5ef217c91da69a4062 Mon Sep 17 00:00:00 2001
From: Pavel Horal <pavel.horal@orchitech.cz>
Date: Thu, 4 Apr 2024 00:42:25 +0200
Subject: [PATCH] Escape inline link attributes. Fix #459.

---
 src/commonmark-rules.js |  3 ++-
 test/index.html         | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/commonmark-rules.js b/src/commonmark-rules.js
index 77a4c529..f32a8933 100644
--- a/src/commonmark-rules.js
+++ b/src/commonmark-rules.js
@@ -153,8 +153,9 @@ rules.inlineLink = {
 
   replacement: function (content, node) {
     var href = node.getAttribute('href')
+    if (href) href = href.replace(/([()])/g, '\\$1')
     var title = cleanAttribute(node.getAttribute('title'))
-    if (title) title = ' "' + title + '"'
+    if (title) title = ' "' + title.replace(/"/g, '\\"') + '"'
     return '[' + content + '](' + href + title + ')'
   }
 }
diff --git a/test/index.html b/test/index.html
index 26fa586c..065de26e 100644
--- a/test/index.html
+++ b/test/index.html
@@ -217,6 +217,16 @@
 link")</pre>
 </div>
 
+<div class="case" data-name="a with quotes in title">
+  <div class="input"><a href="http://example.com" title="&quot;hello&quot;">An anchor</a></div>
+  <pre class="expected">[An anchor](http://example.com "\"hello\"")</pre>
+</div>
+
+<div class="case" data-name="a with parenthesis in query">
+  <div class="input"><a href="http://example.com?(query)">An anchor</a></div>
+  <pre class="expected">[An anchor](http://example.com?\(query\))</pre>
+</div>
+
 <div class="case" data-name="a without a src">
   <div class="input"><a id="about-anchor">Anchor without a title</a></div>
   <pre class="expected">Anchor without a title</pre>