Use character references for escaped attributes.

When attribute values contain both an apostrophe and a double quote, we should substitute the character being used to wrap the value with its key code instead of named/keyword entities (for IE support). Fixes #418. Signed-off-by: Norman Clarke <norman@njclarke.com>
2022-11-09 12:33:31 -05:00 · 2011-07-22 15:30:58 -05:00 · 2011-07-22 15:30:58 -05:00 · 6a809664f8
commit 6a809664f8
parent c16bc75dda
3 changed files with 11 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -40,6 +40,11 @@
 * Fix for inner whitespace removal in loops.
  (thanks [Richard Michael](https://github.com/richardkmichael))

+* Use numeric character references rather than HTML entities when escaping
+  double quotes and apostrophes in attributes. This works around some bugs in
+  Internet Explorer earlier than version 9.
+  (thanks [Doug Mayer](https://github.com/doxavore))
+
 ## 3.1.5 (Unreleased)

 * Respect Rails' `html_safe` flag when escaping attribute values
@ -68,6 +73,8 @@

 * Fix an issue where destructive modification was sometimes performed on Rails SafeBuffers.

+* Use character code entities for attribute value replacements instead of named/keyword entities.
+
 ## 3.1.1

 * Update the vendored Sass to version 3.1.0.
--- a/lib/haml/compiler.rb
+++ b/lib/haml/compiler.rb
@ -358,7 +358,7 @@ END

    # This is a class method so it can be accessed from Buffer.
    def self.build_attributes(is_html, attr_wrapper, escape_attrs, hyphenate_data_attrs, attributes = {})
-      quote_escape = attr_wrapper == '"' ? "&quot;" : "&apos;"
+      quote_escape = attr_wrapper == '"' ? "&#x0022;" : "&#x0027;"
      other_quote_char = attr_wrapper == '"' ? "'" : '"'

      if attributes['data'].is_a?(Hash)
@ -391,7 +391,7 @@ END
        value = Haml::Helpers.preserve(escaped)
        if escape_attrs
          # We want to decide whether or not to escape quotes
-          value = value.gsub('&quot;', '"')
+          value = value.gsub('&quot;', '"').gsub('&#x0022;', '"')
          this_attr_wrapper = attr_wrapper
          if value.include? attr_wrapper
            if value.include? other_quote_char
--- a/test/engine_test.rb
+++ b/test/engine_test.rb
@ -1127,7 +1127,7 @@ HAML
    assert_equal("<p strange=*attrs*></p>\n", render("%p{ :strange => 'attrs'}", :attr_wrapper => '*'))
    assert_equal("<p escaped='quo\"te'></p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
    assert_equal("<p escaped=\"quo'te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"q'uo&quot;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped=\"q'uo&#x0022;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
    assert_equal("<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n", render("!!! XML", :attr_wrapper => '"'))
  end

@ -1511,7 +1511,7 @@ HAML
      render("%div{:data => {:one_plus_one => 1+1}}",
        :hyphenate_data_attrs => false))

-    assert_equal("<div data-foo='Here&apos;s a \"quoteful\" string.'></div>\n",
+    assert_equal("<div data-foo='Here&#x0027;s a \"quoteful\" string.'></div>\n",
      render(%{%div{:data => {:foo => %{Here's a "quoteful" string.}}}},
        :hyphenate_data_attrs => false)) #'
  end