facebook · syranide · Feb 5, 2015
diff --git a/src/browser/ui/__tests__/ReactDOMComponent-test.js b/src/browser/ui/__tests__/ReactDOMComponent-test.js
@@ -443,8 +443,8 @@ describe('ReactDOMComponent', function() {
           }, '\'"<>&')
         )
       ).toBe(
-        '<div title="&#x27;&quot;&lt;&gt;&amp;" style="text-align:&#x27;&quot;&lt;&gt;&amp;;">' +
-          '&#x27;&quot;&lt;&gt;&amp;' +
+        '<div title="\'&quot;&lt;&gt;&amp;" style="text-align:\'&quot;&lt;&gt;&amp;;">' +
+          '\'"&lt;&gt;&amp;' +
         '</div>'
       );
     });

diff --git a/src/utils/__tests__/escapeTextContentForBrowser-test.js b/src/utils/__tests__/escapeTextContentForBrowser-test.js
@@ -35,11 +35,9 @@ describe('escapeTextContentForBrowser', function() {
   });
 
   it('should escape string', function() {
-    var escaped = escapeTextContentForBrowser('<script type=\'\' src=""></script>');
+    var escaped = escapeTextContentForBrowser('<script></script>');
     expect(escaped).not.toContain('<');
     expect(escaped).not.toContain('>');
-    expect(escaped).not.toContain('\'');
-    expect(escaped).not.toContain('\"');
 
     escaped = escapeTextContentForBrowser('&');
     expect(escaped).toBe('&amp;');

diff --git a/src/utils/__tests__/quoteAttributeValueForBrowser-test.js b/src/utils/__tests__/quoteAttributeValueForBrowser-test.js
@@ -35,10 +35,9 @@ describe('quoteAttributeValueForBrowser', function() {
   });
 
   it('should escape string', function() {
-    var escaped = quoteAttributeValueForBrowser('<script type=\'\' src=""></script>');
+    var escaped = quoteAttributeValueForBrowser('<script src=""></script>');
     expect(escaped).not.toContain('<');
     expect(escaped).not.toContain('>');
-    expect(escaped).not.toContain('\'');
     expect(escaped.substr(1, -1)).not.toContain('\"');
 
     escaped = quoteAttributeValueForBrowser('&');

diff --git a/src/utils/escapeTextContentForBrowser.js b/src/utils/escapeTextContentForBrowser.js
@@ -11,24 +11,25 @@
 
 'use strict';
 
+// `"` and `'` are not escaped; they are parsed as regular characters in the
+// context of text content.
+
 var ESCAPE_LOOKUP = {
   '&': '&amp;',
   '>': '&gt;',
-  '<': '&lt;',
-  '"': '&quot;',
-  '\'': '&#x27;'
+  '<': '&lt;'
 };
 
-var ESCAPE_REGEX = /[&><"']/g;
+var ESCAPE_REGEX = /[&><]/g;
 
 function escaper(match) {
   return ESCAPE_LOOKUP[match];
 }
 
 /**
- * Escapes text to prevent scripting attacks.
+ * Escapes text content to prevent scripting attacks.
  *
- * @param {*} text Text value to escape.
+ * @param {*} text Text content value to escape.
  * @return {string} An escaped string.
  */
 function escapeTextContentForBrowser(text) {

diff --git a/src/utils/quoteAttributeValueForBrowser.js b/src/utils/quoteAttributeValueForBrowser.js
@@ -11,16 +11,33 @@
 
 "use strict";
 
-var escapeTextContentForBrowser = require('escapeTextContentForBrowser');
+// `'` is not escaped; OWASP asserts "Properly quoted attributes can only be
+// escaped with the corresponding quote.". All attribute value quoting must use
+// this function which exclusively quotes with `"`. However, `<` and `>` are
+// still escaped as a precaution for when markup is served within inline
+// scripts or comments without sufficient escaping.
+
+var ESCAPE_LOOKUP = {
+  '&': '&amp;',
+  '>': '&gt;',
+  '<': '&lt;',
+  '"': '&quot;'
+};
+
+var ESCAPE_REGEX = /[&><"]/g;
+
+function escaper(match) {
+  return ESCAPE_LOOKUP[match];
+}
 
 /**
  * Escapes attribute value to prevent scripting attacks.
  *
- * @param {*} value Value to escape.
+ * @param {*} value Attribute value to escape.
  * @return {string} An escaped string.
  */
 function quoteAttributeValueForBrowser(value) {
-  return '"' + escapeTextContentForBrowser(value) + '"';
+  return '"' + ('' + value).replace(ESCAPE_REGEX, escaper) + '"';
 }
 
 module.exports = quoteAttributeValueForBrowser;