diff --git a/umap/static/umap/js/modules/utils.js b/umap/static/umap/js/modules/utils.js
index 340d1122..f5c36a31 100644
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@@ -88,7 +88,7 @@ export function escapeHTML(s) {
'span',
],
ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
- ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
+ ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style', 'dir', 'title'],
// Added: `geo:` URL scheme as defined in RFC5870:
// https://www.rfc-editor.org/rfc/rfc5870.html
// The base RegExp comes from:
diff --git a/umap/static/umap/unittests/utils.js b/umap/static/umap/unittests/utils.js
index 4624b273..c405b4d4 100644
--- a/umap/static/umap/unittests/utils.js
+++ b/umap/static/umap/unittests/utils.js
@@ -185,6 +185,13 @@ describe('Utils', function () {
assert.equal(Utils.escapeHTML(''), '')
})
+ it('should not escape dir and title attributes', function () {
+ assert.equal(
+ Utils.escapeHTML(''),
+ ''
+ )
+ })
+
it('should not fail with int value', function () {
assert.equal(Utils.escapeHTML(25), '25')
})