diff --git a/src/Utils/Html.php b/src/Utils/Html.php
index a29b01ec3..7e018a1df 100644
--- a/src/Utils/Html.php
+++ b/src/Utils/Html.php
@@ -523,7 +523,10 @@ public function attributes()
$v = Json::encode($v);
}
$q = strpos($v, '"') === FALSE ? '"' : "'";
- $s .= ' data-' . $k . '=' . $q . str_replace(array('&', $q), array('&', $q === '"' ? '"' : '''), $v) . $q;
+ $s .= ' data-' . $k . '='
+ . $q . str_replace(array('&', $q), array('&', $q === '"' ? '"' : '''), $v)
+ . (strpos($v, '`') === FALSE ? '' : ' ')
+ . $q;
}
}
continue;
@@ -551,7 +554,10 @@ public function attributes()
}
$q = strpos($value, '"') === FALSE ? '"' : "'";
- $s .= ' ' . $key . '=' . $q . str_replace(array('&', $q), array('&', $q === '"' ? '"' : '''), $value) . $q;
+ $s .= ' ' . $key . '='
+ . $q . str_replace(array('&', $q), array('&', $q === '"' ? '"' : '''), $value)
+ . (strpos($value, '`') === FALSE ? '' : ' ')
+ . $q;
}
$s = str_replace('@', '@', $s);
diff --git a/tests/Utils/Html.basic.phpt b/tests/Utils/Html.basic.phpt
index 3493e2d86..336126c66 100644
--- a/tests/Utils/Html.basic.phpt
+++ b/tests/Utils/Html.basic.phpt
@@ -66,6 +66,7 @@ test(function() {
test(function() { // attributes escaping
Assert::same( '', (string) Html::el('a')->one('"')->two("'")->three('<>')->four('&') );
+ Assert::same( '' , (string) Html::el('a')->one("``xx'")->two('``x"') ); // mXSS
});
diff --git a/tests/Utils/Html.data.phpt b/tests/Utils/Html.data.phpt
index c49413b43..4d0fbe572 100644
--- a/tests/Utils/Html.data.phpt
+++ b/tests/Utils/Html.data.phpt
@@ -19,8 +19,9 @@ test(function() { // deprecated
$el->data['d'] = '';
$el->data['e'] = 'two';
$el->{'data-x'} = 'x';
+ $el->data['mxss'] = '``two';
- Assert::same( '', (string) $el );
+ Assert::same( '', (string) $el );
});