Skip to content

Commit 0c2f42d

Browse files
strakerWilcoFiers
straker
authored and
WilcoFiers
committed
fix: escape href attribute when creating a CSS selector [#1137] (#1366)
* fix: escape href attribute when creating a CSS selector * escape shortened urls
1 parent 7ec4cec commit 0c2f42d

File tree

2 files changed

+27
-6
lines changed

2 files changed

+27
-6
lines changed

lib/core/utils/get-selector.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,12 +36,16 @@ function getAttributeNameValue(node, at) {
3636
if (friendly) {
3737
let value = encodeURI(friendly);
3838
if (value) {
39-
atnv = escapeSelector(at.name) + '$="' + value + '"';
39+
atnv = escapeSelector(at.name) + '$="' + escapeSelector(value) + '"';
4040
} else {
4141
return;
4242
}
4343
} else {
44-
atnv = escapeSelector(at.name) + '="' + node.getAttribute(name) + '"';
44+
atnv =
45+
escapeSelector(at.name) +
46+
'="' +
47+
escapeSelector(node.getAttribute(name)) +
48+
'"';
4549
}
4650
} else {
4751
atnv = escapeSelector(name) + '="' + escapeSelector(at.value) + '"';

test/core/utils/get-selector.js

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -494,8 +494,22 @@ describe('axe.utils.getSelector', function() {
494494
img2.setAttribute('src', '//deque.com/logo.png');
495495

496496
fixtureSetup([link1, link2, img1, img2]);
497-
assert.equal(axe.utils.getSelector(link2), 'a[href$="about/"]');
498-
assert.equal(axe.utils.getSelector(img2), 'img[src$="logo.png"]');
497+
assert.equal(axe.utils.getSelector(link2), 'a[href$="about\\/"]');
498+
assert.equal(axe.utils.getSelector(img2), 'img[src$="logo\\.png"]');
499+
});
500+
501+
it('should escape href attributes', function() {
502+
var link1 = document.createElement('a');
503+
link1.setAttribute('href', '//deque.com/about/');
504+
505+
var link2 = document.createElement('a');
506+
link2.setAttribute('href', '//deque.com/child/ \n\n\n');
507+
508+
fixtureSetup([link1, link2]);
509+
assert.equal(
510+
axe.utils.getSelector(link2),
511+
'a[href="\\/\\/deque\\.com\\/child\\/\\ \\a \\a \\a "]'
512+
);
499513
});
500514

501515
it('should not generate universal selectors', function() {
@@ -516,8 +530,11 @@ describe('axe.utils.getSelector', function() {
516530
node2.setAttribute('href', href2);
517531
fixtureSetup([node1, node2]);
518532

519-
assert.include(axe.utils.getSelector(node1), href1);
520-
assert.include(axe.utils.getSelector(node2), href2);
533+
assert.include(axe.utils.getSelector(node1), 'mars2\\.html\\?a\\=be_bold');
534+
assert.include(
535+
axe.utils.getSelector(node2),
536+
'mars2\\.html\\?a\\=be_italic'
537+
);
521538
});
522539

523540
// shadow DOM v1 - note: v0 is compatible with this code, so no need

0 commit comments

Comments
 (0)