Merge pull request #40 from samupl/attributes-quote-xss

Fix xss risk if there is a html tag and remove optional attribute quotes is on

htmlmin/escape.py

@@ -51,10 +51,11 @@ def escape_attr_name(val):
 
 def escape_attr_value(val, double_quote=False):
   val = escape_ambiguous_ampersand(val)
+  has_html_tag = '<' in val or '>' in val
   if double_quote:
     return (val.replace('"', '&#34;'), DOUBLE_QUOTE)
-  if '"' in val:
-    if "'" in val:
+  if '"' in val or has_html_tag:
+    if "'" in val or has_html_tag:
       return (val.replace('"', '&#34;'), DOUBLE_QUOTE)
     else:
       return (val, SINGLE_QUOTE)

htmlmin/tests/tests.py

@@ -139,6 +139,16 @@
     '<img width="100" height="50" src="#something" />',
     '<img width="100" height="50" src="#something">',
   ),
+  'remove_optional_attribute_quotes': (
+    (
+      '<td data-text="&lt;script&gt;alert(\'123\');&lt;/script&gt;">',
+      '<td data-text="<script>alert(\'123\');</script>">',
+    ),
+    (
+      '<td data-text="&lt;script&gt;alert(123);&lt;/script&gt;">',
+      '<td data-text="<script>alert(123);</script>">',
+    ),
+  ),
   'keep_pre_attribute': (
     '<body>the <strong pre   style="">pre</strong> should stay  </body>',
     '<body>the <strong pre style>pre</strong> should stay </body>',
@@ -388,6 +398,11 @@ def test_keep_optional_attribute_quotes(self):
     text = self.__reference_texts__['keep_optional_attribute_quotes']
     self.assertEqual(htmlmin.minify(text[0], remove_optional_attribute_quotes=False), text[1])
 
+  def test_remove_optional_attribute_quotes(self):
+    texts = self.__reference_texts__['remove_optional_attribute_quotes']
+    for text in texts:
+      self.assertEqual(htmlmin.minify(text[0], remove_optional_attribute_quotes=True), text[1])
+
   def test_keep_pre_attribute(self):
     text = self.__reference_texts__['keep_pre_attribute']
     self.assertEqual(htmlmin.minify(text[0], keep_pre=True), text[1])