Bug: PreEscaped into attribute generates invalid HTML

[Porges]

trafficstars

This is related to #181 but I don't think it has been called out explicitly as a problem there. If you have some Markup/PreEscaped and slot it into an attribute then that is passed on without any further escaping, but Markup is escaped to be valid HTML not to be valid attribute content.

For example:

let title = maud::html! {
    "With " a href="https://example.com" { "a link in it" }
};

let result = maud::html! {
    meta property="og:title" content=(title);
};

println!("{}", result.into_string());

Output:

<meta property="og:title" content="With <a href="https://example.com">a link in it</a>">

There are multiple possible solutions here:

• either the input needs to be re-escaped for the correct context
• or putting already-encoded input from the wrong context in should produce an error (since even the escaped version here is going to be dubious, even if it's safe, probably the intent is really to use the equivalent of textContent, but that cannot be decided in advance)

[Porges]

Ah, looks like this might have been started to be addressed in #460?

[lambda-fairy]

Yes this is a known issue. I don't think there's an easy way out of it without context-aware escaping. I'll take a note of it when I work on #322.