From 338f0382d37d802ae5e58096ef43d38de1c4878c Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Sun, 18 Feb 2024 14:17:09 -0500
Subject: [PATCH] LibWebView: Escape HTML within attribute values in the
 Inspector HTML

If an attribute value contains HTML, let's make sure we render it as
text, instead of injecting HTML in the middle of an Inspector field.
---
 Userland/Libraries/LibWebView/InspectorClient.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWebView/InspectorClient.cpp b/Userland/Libraries/LibWebView/InspectorClient.cpp
index d4eb32dfd9..928b691218 100644
--- a/Userland/Libraries/LibWebView/InspectorClient.cpp
+++ b/Userland/Libraries/LibWebView/InspectorClient.cpp
@@ -542,7 +542,7 @@ String InspectorClient::generate_dom_tree(JsonObject const& dom_tree)
                 builder.appendff("<span data-node-type=\"attribute\" data-tag=\"{}\" data-attribute-index={} class=\"editable\">", tag, dom_node_attributes.size());
                 builder.appendff("<span class=\"attribute-name\">{}</span>", name);
                 builder.append('=');
-                builder.appendff("<span class=\"attribute-value\">\"{}\"</span>", value_string);
+                builder.appendff("<span class=\"attribute-value\">\"{}\"</span>", escape_html_entities(value_string));
                 builder.append("</span>"sv);
 
                 dom_node_attributes.empend(MUST(String::from_byte_string(name)), MUST(String::from_byte_string(value_string)));