[fix]: parse obj in attrs

[voischev]

input

<button class="button button_theme_alfa-on-white button_view_extra button_size_l button_type_submit button__control i-bem button_js_inited" data-bem="{&quot;button&quot;:{&quot;checkedView&quot;:&quot;extra&quot;}}" role="button" type="submit"><span class="button__text">Войти в интернет</span></button>

output

<button class="button button_theme_alfa-on-white button_view_extra button_size_l button_type_submit button__control i-bem" data-bem="{" button":{"checkedview":"extra"}}"="" role="button" type="submit"><span class="button__text">Войти в интернет</span></button>

[ccorcos]

I can verify this.

[ccorcos]

If you use v0.2.1 it works. This commit introduced the issue: posthtml/posthtml-parser@7e32484

[Scrum]

v0.2.1

may be v3.1 ?

If you use v0.2.1 it works.

Yes it works but maybe I hurried up. it probably does not need to be parsed but it's only necessary to transform it with the renderer and all this should most likely be options

[ccorcos]

Sounds like it needs to not be parsed. It shouldn't be unescaping those quotes and creating invalid html...

[RReverser]

Not sure if the same issue, but currently PostHTML transforms HTML like

<img src='1" onload="alert()'>

into

<img src="1" onerror="alert()">

which creates security issues when executed on untrusted HTML.