Math inequality symbols in attributes are not properly encoded

[iongion]

The tag open < and > are not properly encoded inside attribute values.
They should become < and > - they makes the lib dangerous in projects dealing with user input/output.

[iongion]

For when running inside the web browser, a safe way to encode attribute values would be something like this:

  function htmlEncode(value) {
    const div = document.createElement('div');
    div.textContent = value;
    return div.innerHTML;
  }

Unfortunately, node env does not offer such a built-in, so you cannot rely on it, you could nevertheless, reference https://www.npmjs.com/package/js-htmlencode in your dependencies and use those functions to perform encoding. Encoding is not trivial task, use a library!

This person already tried disabling the encoding part of this project:

edkotkas@f0bf5d9

[touv]

I'm not sure to understand

XML specefiction doesn't allow & < and > : https://www.w3.org/TR/xml/#NT-AttValue
So they should be encoded, but how ?
Probably like HTML spec ? https://www.w3.org/TR/html51/syntax.html#attribute-value-double-quoted-state

The package that you cite replace special character by there corresponding literal entity
https://github.com/emn178/js-htmlencode/blob/master/src/htmlencode.js#L295-L298

Just like this package :

https://github.com/Inist-CNRS/node-xml-writer/blob/master/lib/xml-writer.js#L258-L265