Juris-M / citeproc-js

Items with URL field that contain a quote mark " produce HTML bibliography output that is invalid with styles that output links, e.g. in Vancouver with an URL field https://example.com/" you get:

<div class="csl-entry">Example Domain. [cited 2024 Mar 28]. Available from: <a href="https://example.com/"">https://example.com/"</a></div>

Note <a href="https://example.com/""> with double quotes at the end of the href attribute.

When generating the HTML output the quote mark should be escaped with %22.

See zotero/zotero#3890 zotero/zotero-google-docs-integration#51

The place to edit would be here:

citeproc-js/src/formats.js

Lines 136 to 145 in 59fbf78

    
           "@URL/true": function (state, str) { 
        
               return "<a href=\"" + str + "\">" + str + "</a>"; 
        
           }, 
        
           "@DOI/true": function (state, str) { 
        
               var doiurl = str; 
        
               if (!str.match(/^https?:\/\//)) { 
        
                   doiurl = "https://doi.org/" + str; 
        
               } 
        
               return "<a href=\"" + doiurl + "\">" + str + "</a>"; 
        
           }

Some first thoughts:

Input URLs may be encoded or decoded, so we cannot simply call encodeURI()
decodeURI() can fail on some decoded input URLs (e.g. https://example.org/%)

	"@URL/true": function (state, str) {
	return "<a href=\"" + str + "\">" + str + "</a>";
	},
	"@DOI/true": function (state, str) {
	var doiurl = str;
	if (!str.match(/^https?:\/\//)) {
	doiurl = "https://doi.org/" + str;
	}
	return "<a href=\"" + doiurl + "\">" + str + "</a>";
	}

Quotes in URL field are not escaped and produce invalid HTML output