renderer: HTML-escape admonition title and guard against empty attachments

mkDocsAdmonition: escape the admonition title with html.EscapeString
before inserting it into the Confluence storage format XML. An unescaped
title containing '<', '>', '&', or '"' would break the XML structure.

image: add a len(attachments)==0 guard before accessing attachments[0]
in the local-attachment code path. ResolveLocalAttachments always returns
either an error or the requested attachments, so this is currently
unreachable, but the explicit check prevents a future silent panic if the
function's behaviour changes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

renderer/image.go

@@ -2,6 +2,7 @@ package renderer
 
 import (
 	"bytes"
+	"fmt"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -143,6 +144,9 @@ func (r *ConfluenceImageRenderer) renderImage(writer util.BufWriter, source []by
 			},
 		)
 	} else {
+		if len(attachments) == 0 {
+			return ast.WalkStop, fmt.Errorf("no attachment resolved for %q", string(n.Destination))
+		}
 
 		r.Attachments.Attach(attachments[0])
 

renderer/mkDocsAdmonition.go

@@ -2,6 +2,7 @@ package renderer
 
 import (
 	"fmt"
+	stdhtml "html"
 	"strconv"
 
 	parser "github.com/stefanfritsch/goldmark-admonitions"
@@ -81,7 +82,7 @@ func (r *ConfluenceMkDocsAdmonitionRenderer) renderMkDocsAdmonition(writer util.
 
 		title, _ := strconv.Unquote(string(n.Title))
 		if title != "" {
-			titleHTML := fmt.Sprintf("<p><strong>%s</strong></p>\n", title)
+			titleHTML := fmt.Sprintf("<p><strong>%s</strong></p>\n", stdhtml.EscapeString(title))
 			if _, err := writer.Write([]byte(titleHTML)); err != nil {
 				return ast.WalkStop, err
 			}