diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb
index d2d369f2904..6197c434d63 100644
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@@ -22,7 +22,7 @@ class CookedPostProcessor
@cooking_options = @cooking_options.symbolize_keys
cooked = post.cook(post.raw, @cooking_options)
- @doc = Nokogiri::HTML5::fragment(cooked)
+ @doc = Loofah.fragment(cooked)
@has_oneboxes = post.post_analyzer.found_oneboxes?
@size_cache = {}
diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb
index 97ea38ddd7b..6117d88f231 100644
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
end
end
+ context "#html" do
+ it "escapes attributes" do
+ post = Fabricate(:post, raw: '![<something>]()
')
+ expect(post.cook(post.raw)).to eq('![<something>]()
')
+ expect(CookedPostProcessor.new(post).html).to eq('![<something>]()
')
+ end
+ end
+
end