diff options
author | Daniel Veillard <veillard@redhat.com> | 2012-09-05 11:45:32 +0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2012-09-05 12:11:43 +0800 |
commit | 7d4c529a334845621e2f805c8ed0e154b3350cec (patch) | |
tree | 541645b371f66a4e28a9da123c70e53f4dfe7299 /HTMLtree.c | |
parent | 857104cd494765daf0749ae4f7dd49563811b669 (diff) | |
download | android_external_libxml2-7d4c529a334845621e2f805c8ed0e154b3350cec.tar.gz android_external_libxml2-7d4c529a334845621e2f805c8ed0e154b3350cec.tar.bz2 android_external_libxml2-7d4c529a334845621e2f805c8ed0e154b3350cec.zip |
Improve HTML escaping of attribute on output
Handle special cases of &{...} constructs as hinted in the spec
http://www.w3.org/TR/html401/appendix/notes.html#h-B.7.1
and special values as comment <!-- ... --> used for server side includes
This is limited to attribute values in HTML content.
Diffstat (limited to 'HTMLtree.c')
-rw-r--r-- | HTMLtree.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -690,9 +690,10 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, xmlChar *value; /* - * TODO: The html output method should not escape a & character - * occurring in an attribute value immediately followed by - * a { character (see Section B.7.1 of the HTML 4.0 Recommendation). + * The html output method should not escape a & character + * occurring in an attribute value immediately followed by + * a { character (see Section B.7.1 of the HTML 4.0 Recommendation). + * This is implemented in xmlEncodeEntitiesReentrant */ if (cur == NULL) { @@ -720,7 +721,11 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, while (IS_BLANK_CH(*tmp)) tmp++; - escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); + /* + * the < and > have already been escaped at the entity level + * And doing so here breaks server side includes + */ + escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); if (escaped != NULL) { xmlBufWriteQuotedString(buf->buffer, escaped); xmlFree(escaped); |