Be precise when (un)protecting source in attributes.

ckeditor · Mar 13, 2014 · 6675efb · 6675efb
1 parent 4d9b6bb
commit 6675efb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/core/htmldataprocessor.js b/core/htmldataprocessor.js
@@ -883,8 +883,9 @@
 
 		// Different protection pattern is used for those that
 		// live in attributes to avoid from being HTML encoded.
-		return data.replace( /(['"]).*?\1/g, function( match ) {
-			return match.replace( /<!--\{cke_protected\}([\s\S]+?)-->/g, function( match, data ) {
+		// Why so serious? See #9205, #8216, #7805.
+		return data.replace( /<\w([^'">]+|'[^']*'|"[^"]*")+>/g, function( match ) {
+			return match.replace( /<!--\{cke_protected\}([^>]*)-->/g, function( match, data ) {
 				store[ store.id ] = decodeURIComponent( data );
 				return '{cke_protected_' + ( store.id++ ) + '}';
 			} );