Quotes in URL field are not escaped and produce invalid HTML output

[adomasven]

Items with URL field that contain a quote mark " produce HTML bibliography output that is invalid with styles that output links, e.g. in Vancouver with an URL field https://example.com/" you get:

<div class="csl-entry">Example Domain. [cited 2024 Mar 28]. Available from: <a href="https://example.com/"">https://example.com/"</a></div>

Note <a href="https://example.com/""> with double quotes at the end of the href attribute.

When generating the HTML output the quote mark should be escaped with %22.

See zotero/zotero#3890 zotero/zotero-google-docs-integration#51

[larsgw]

The place to edit would be here:

citeproc-js/src/formats.js

Lines 136 to 145 in 59fbf78

	"@URL/true": function (state, str) {
	return "<a href=\"" + str + "\">" + str + "</a>";
	},
	"@DOI/true": function (state, str) {
	var doiurl = str;
	if (!str.match(/^https?:\/\//)) {
	doiurl = "https://doi.org/" + str;
	}
	return "<a href=\"" + doiurl + "\">" + str + "</a>";
	}

[larsgw]

Some first thoughts:

• Input URLs may be encoded or decoded, so we cannot simply call encodeURI()
• decodeURI() can fail on some decoded input URLs (e.g. https://example.org/%)