Html: chars '<' in attributes are encoded in XHTML

nette · Aug 5, 2015 · 1d98085 · 1d98085
1 parent adedbf5
commit 1d98085
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/src/Utils/Html.php b/src/Utils/Html.php
@@ -554,8 +554,12 @@ public function attributes()
 			}
 
 			$q = strpos($value, '"') === FALSE ? '"' : "'";
-			$s .= ' ' . $key . '='
-				. $q . str_replace(array('&', $q), array('&amp;', $q === '"' ? '&quot;' : '&#39;'), $value)
+			$s .= ' ' . $key . '=' . $q
+				. str_replace(
+					array('&', $q, '<'),
+					array('&amp;', $q === '"' ? '&quot;' : '&#39;', self::$xhtml ? '&lt;' : '<'),
+					$value
+				)
 				. (strpos($value, '`') !== FALSE && strpbrk($value, ' <>"\'') === FALSE ? ' ' : '')
 				. $q;
 		}

diff --git a/tests/Utils/Html.basic.phpt b/tests/Utils/Html.basic.phpt
@@ -73,6 +73,10 @@ test(function () { // small & big numbers
 
 
 test(function () { // attributes escaping
+	Html::$xhtml = TRUE;
+	Assert::same('<a one=\'"\' two="\'" three="&lt;>" four="&amp;amp;"></a>', (string) Html::el('a')->one('"')->two("'")->three('<>')->four('&amp;'));
+
+	Html::$xhtml = FALSE;
 	Assert::same('<a one=\'"\' two="\'" three="<>" four="&amp;amp;"></a>', (string) Html::el('a')->one('"')->two("'")->three('<>')->four('&amp;'));
 	Assert::same('<a one="``xx "></a>', (string) Html::el('a')->one('``xx')); // mXSS
 });