diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb
index 8148ddee..de04f02f 100644
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@@ -939,7 +939,7 @@ class RedCloth3 < String
stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
htmlesc title
atts = pba( atts )
- atts = " src=\"#{ url }\"#{ atts }"
+ atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
atts << " title=\"#{ title }\"" if title
atts << " alt=\"#{ title }\""
# size = @getimagesize($url);
diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index a5ea0936..9ba76474 100644
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -194,6 +194,14 @@ EXPECTED
assert_equal '[msg1][msg2]
', to_html('[msg1][msg2]')
end
+ def test_textile_should_escape_image_urls
+ # this is onclick="alert('XSS');" in encoded form
+ raw = '!/images/comment.png"onclick=alert('XSS');"!'
+ expected = '![](/images/comment.png"onclick=alert('XSS');")
'
+
+ assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+ end
+
private
def assert_html_output(to_test, expect_paragraph = true)