Skip to content

fix: escape attribute keys in html-format codegen (security hardening)#3472

Open
rvzsec wants to merge 1 commit into
pugjs:masterfrom
rvzsec:fix/escape-attribute-keys
Open

fix: escape attribute keys in html-format codegen (security hardening)#3472
rvzsec wants to merge 1 commit into
pugjs:masterfrom
rvzsec:fix/escape-attribute-keys

Conversation

@rvzsec

@rvzsec rvzsec commented Jul 1, 2026

Copy link
Copy Markdown

Replace raw key concatenation with stringify(key) in pug-attrs dynamic html-format branch, matching the escaping already used in the constant and object-format branches.

ZSA-2026-67650

Replace raw key concatenation with `stringify(key)` in pug-attrs
dynamic html-format branch, matching the escaping already used
in the constant and object-format branches.

ZSA-2026-67650
@rollingversions

Copy link
Copy Markdown

There is no change log for this pull request yet.

Create a changelog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant