Encode attribute values

src/utils.ts

@@ -184,6 +184,14 @@ export function segment(
     : [...graphemeSegmenter.segment(content)].map((seg) => seg.segment)
 }
 
+function encodeAttributeValue(value: string) {
+  return value
+    .replace(/"/g, '"')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/&/g, '&amp;')
+}
+
 export function buildXMLString(
   type: string,
   attrs: Record<string, any>,
@@ -193,7 +201,11 @@ export function buildXMLString(
 
   for (const [k, _v] of Object.entries(attrs)) {
     if (typeof _v !== 'undefined') {
-      attrString += ` ${k}="${_v}"`
+      if (typeof _v === 'string') {
+        attrString += ` ${k}="${encodeAttributeValue(_v)}"`
+      } else {
+        attrString += ` ${k}="${_v}"`
+      }
     }
   }