Fixed escaping of alt text in ContentFormat.img()

[bmispelon]

This should fix #2035 and also address escaping issues in the other formats (markdown and restructured text).

[thibaudcolas]

Looks reasonable but I don’t think I’ll have time to actually test this / review in more depth, sorry

[adamzap]

Other than the final ReST test that includes a newline (see my other comment), I'm able to get the tests to pass with this small change:

diff --git a/blog/models.py b/blog/models.py
index 0083dd22..9ca310b0 100644
--- a/blog/models.py
+++ b/blog/models.py
@@ -1,3 +1,4 @@
+import html
 from urllib.parse import urlparse
 
 from django.conf import settings
@@ -73,7 +74,7 @@ class ContentFormat(models.TextChoices):
         CF = type(self)
         return {
             CF.REST: f".. image:: {url}\n   :alt: {alt_text}",
-            CF.HTML: f'<img src="{url}" alt="{alt_text}">',
+            CF.HTML: f'<img src="{url}" alt="{html.escape(alt_text)}">',
             CF.MARKDOWN: f"![{alt_text}]({url})",
         }[self]

I'm wondering if _md_escape is not needed since markdown escapes alt text automatically:

>>> import markdown
>>> markdown.markdown('![Al"t t"ext](/path/to/img.jpg)')
'<p><img alt="Al&quot;t t&quot;ext" src="/path/to/img.jpg" /></p>'

If the intent behind _md_escape is something beyond fixing alt text quoting, could we put it in a different PR?

[bmispelon]

I got carried away not realizing that escaping was not really needed in markdown, I agree that keeping it simple is better here.

I went for the format_html route instead of manually using html.escape() as you suggested, but removed the _md_escape() and _rst_escape() which simplifies the PR (I agree that supporting newlines in alt texts for rst is not worth the complications).

Let me know what you think (I've kept the changes in a separate commit for ease of review but the two should get squashed when merging).

[adamzap]

👍 Looks great! No worries on the initial complexity. Thanks for considering my suggestions.

[pauloxnet]

LGTM