Commit8765511

committed

fixup!Fix#11,#12: quote attributes that need escaping in legacy browsers

1 parent15ff801 commit8765511Copy full SHA for 8765511

File tree

+12

-37

lines changed

CHANGES.rst
html5lib
- serializer
  - htmlserializer.py
- tests/serializer-testdata
  - options.test

+12

-37

lines changed

Lines changed: 6 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,11 +33,12 @@ Released on XXX`
`33`	`33`	`* **Use scripting disabled by default (as we don't implement`
`34`	`34`	`scripting).**`
`35`	`35`
`36`		`-* Fix #11, avoiding the XSS bug potentially caused by serializer allowing`
`37`		`- attribute values to be escaped out of in old browser versions, changing`
`38`		`- the quote_attr_values option on serializer to take one of three values,`
`39`		`- "always" (the old True value), "legacy" (the new option, and the new`
`40`		`- default), and "spec" (the old False value, and the old default).`
	`36`	`+* **Fix #11, avoiding the XSS bug potentially caused by serializer`
	`37`	`+ allowing attribute values to be escaped out of in old browser versions,`
	`38`	`+ changing the quote_attr_values option on serializer to take one of`
	`39`	`+ three values, "always" (the old True value), "legacy" (the new option,`
	`40`	`+ and the new default), and "spec" (the old False value, and the old`
	`41`	`+ default).**`
`41`	`42`
`42`	`43`
`43`	`44`	`0.9999999/1.0b8`

Lines changed: 2 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -248,14 +248,11 @@ def serialize(self, treewalker, encoding=None):`
`248`	`248`	`(knotinbooleanAttributes.get(name,tuple())and`
`249`	`249`	`knotinbooleanAttributes.get("",tuple())):`
`250`	`250`	`yieldself.encodeStrict("=")`
`251`		`-if (self.quote_attr_values=="always"or`
`252`		`-self.quote_attr_valuesisTrueor`
`253`		`-len(v)==0):`
	`251`	`+ifself.quote_attr_values=="always"orlen(v)==0:`
`254`	`252`	`quote_attr=True`
`255`	`253`	`elifself.quote_attr_values=="spec":`
`256`	`254`	`quote_attr=quoteAttributeSpec.search(v)isnotNone`
`257`		`-elif (self.quote_attr_values=="legacy"or`
`258`		`-self.quote_attr_valuesisFalse):`
	`255`	`+elifself.quote_attr_values=="legacy":`
`259`	`256`	`quote_attr=quoteAttributeLegacy.search(v)isnotNone`
`260`	`257`	`else:`
`261`	`258`	`raiseValueError("quote_attr_values must be one of: "`

Lines changed: 4 additions & 27 deletions

Original file line number	Diff line number	Diff line change
`@@ -41,9 +41,9 @@`
`41`	`41`	`]`
`42`	`42`	`]`
`43`	`43`	`],`
`44`		`- "description": "quote_attr_values=true",`
	`44`	`+ "description": "quote_attr_values='always'",`
`45`	`45`	`"options": {`
`46`		`- "quote_attr_values":true`
	`46`	`+ "quote_attr_values":"always"`
`47`	`47`	`}`
`48`	`48`	`},`
`49`	`49`	`{`
`@@ -64,32 +64,9 @@`
`64`	`64`	`]`
`65`	`65`	`]`
`66`	`66`	`],`
`67`		`- "description": "quote_attr_values=true with irrelevant",`
	`67`	`+ "description": "quote_attr_values='always' with irrelevant",`
`68`	`68`	`"options": {`
`69`		`- "quote_attr_values": true`
`70`		`- }`
`71`		`- },`
`72`		`- {`
`73`		`- "expected": [`
`74`		`- "<div class=\"foo\">"`
`75`		`- ],`
`76`		`- "input": [`
`77`		`- [`
`78`		`- "StartTag",`
`79`		`- "http://www.w3.org/1999/xhtml",`
`80`		`- "div",`
`81`		`- [`
`82`		`- {`
`83`		`- "namespace": null,`
`84`		`- "name": "class",`
`85`		`- "value": "foo"`
`86`		`- }`
`87`		`- ]`
`88`		`- ]`
`89`		`- ],`
`90`		`- "description": "non-minimized quote_attr_values=true",`
`91`		`- "options": {`
`92`		`- "quote_attr_values": true`
	`69`	`+ "quote_attr_values": "always"`
`93`	`70`	`}`
`94`	`71`	`},`
`95`	`72`	`{`

Comments

(0)