Commitfe1baa8

committed

Fix#11,#12: quote attributes that need escaping in legacy browsers

These are mostly out of the market now, so this isn't massivelyneeded any more; nevertheless, avoiding XSS as much as possible isinevitably desirable.This alters the API so that quote_attr_values is now a ternarysetting, choosing between legacy-safe behaviour, spec behaviour, andalways quoting.

1 parent1c32730 commitfe1baa8Copy full SHA for fe1baa8

File tree

1 file changed

+13

-6

lines changed

html5lib/serializer
- htmlserializer.py

1 file changed

+13

-6

lines changed

`‎html5lib/serializer/htmlserializer.py‎`

Lines changed: 13 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,13 @@`
`11`	`11`	`spaceCharacters="".join(spaceCharacters)`
`12`	`12`
`13`	`13`	quoteAttributeSpec=re.compile("["+spaceCharacters+"\"'=<>`]")
	`14`	`+quoteAttributeLegacy=re.compile("[\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n"`
	`15`	`+"\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15"`
	`16`	`+"\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"`
	`17`	`+"\x20\x2f\x60\xa0\u1680\u180e\u180f\u2000"`
	`18`	`+"\u2001\u2002\u2003\u2004\u2005\u2006\u2007"`
	`19`	`+"\u2008\u2009\u200a\u2028\u2029\u202f\u205f"`
	`20`	`+"\u3000]")`
`14`	`21`
`15`	`22`	`try:`
`16`	`23`	`fromcodecsimportregister_error,xmlcharrefreplace_errors`
`@@ -72,7 +79,7 @@ def htmlentityreplace_errors(exc):`
`72`	`79`	`classHTMLSerializer(object):`
`73`	`80`
`74`	`81`	`# attribute quoting options`
`75`		`-quote_attr_values=False`
	`82`	`+quote_attr_values="legacy"`
`76`	`83`	`quote_char='"'`
`77`	`84`	`use_best_quote_char=True`
`78`	`85`
`@@ -108,9 +115,9 @@ def __init__(self, **kwargs):`
`108`	`115`	`inject_meta_charset=True\|False`
`109`	`116`	`Whether it insert a meta element to define the character set of the`
`110`	`117`	`document.`
`111`		`- quote_attr_values=True\|False`
	`118`	`+ quote_attr_values="legacy"\|"spec"\|True`
`112`	`119`	`Whether to quote attribute values that don't require quoting`
`113`		`- perHTML5 parsingrules.`
	`120`	`+ perlegacy browser behaviour, HTML authoringrules, or always.`
`114`	`121`	`quote_char=u'"'\|u"'"`
`115`	`122`	`Use given quote character for attribute quoting. Default is to`
`116`	`123`	`use double quote unless attribute value contains a double quote,`
`@@ -239,10 +246,10 @@ def serialize(self, treewalker, encoding=None):`
`239`	`246`	`(knotinbooleanAttributes.get(name,tuple())and`
`240`	`247`	`knotinbooleanAttributes.get("",tuple())):`
`241`	`248`	`yieldself.encodeStrict("=")`
`242`		`-ifself.quote_attr_values:`
	`249`	`+ifself.quote_attr_valuesorlen(v)==0:`
`243`	`250`	`quote_attr=True`
`244`		`-else:`
`245`		`-quote_attr=len(v)==0orquoteAttributeSpec.search(v)`
	`251`	`+elif:`
	`252`	`+quoteAttributeSpec.search(v)`
`246`	`253`	`v=v.replace("&","&")`
`247`	`254`	`ifself.escape_lt_in_attrs:`
`248`	`255`	`v=v.replace("<","<")`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfe1baa8

File tree

1 file changed

1 file changed

`‎html5lib/serializer/htmlserializer.py‎`

0 commit comments