Use character references for escaped attributes.

When attribute values contain both an apostrophe and a double quote, we should substitute the character being used to wrap the value with its key code instead of named/keyword entities (for IE support). Fixes haml#418. Signed-off-by: Norman Clarke <norman@njclarke.com>
snatchev · Apr 30, 2012 · 6a80966 · 6a80966
1 parent c16bc75
commit 6a80966
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,6 +40,11 @@
 * Fix for inner whitespace removal in loops.
   (thanks [Richard Michael](https://github.com/richardkmichael))
 
+* Use numeric character references rather than HTML entities when escaping
+  double quotes and apostrophes in attributes. This works around some bugs in
+  Internet Explorer earlier than version 9.
+  (thanks [Doug Mayer](https://github.com/doxavore))
+
 ## 3.1.5 (Unreleased)
 
 * Respect Rails' `html_safe` flag when escaping attribute values
@@ -68,6 +73,8 @@
 
 * Fix an issue where destructive modification was sometimes performed on Rails SafeBuffers.
 
+* Use character code entities for attribute value replacements instead of named/keyword entities.
+
 ## 3.1.1
 
 * Update the vendored Sass to version 3.1.0.

diff --git a/lib/haml/compiler.rb b/lib/haml/compiler.rb
@@ -358,7 +358,7 @@ def push_generated_script(text)
 
     # This is a class method so it can be accessed from Buffer.
     def self.build_attributes(is_html, attr_wrapper, escape_attrs, hyphenate_data_attrs, attributes = {})
-      quote_escape = attr_wrapper == '"' ? "&quot;" : "&apos;"
+      quote_escape = attr_wrapper == '"' ? "&#x0022;" : "&#x0027;"
       other_quote_char = attr_wrapper == '"' ? "'" : '"'
 
       if attributes['data'].is_a?(Hash)
@@ -391,7 +391,7 @@ def self.build_attributes(is_html, attr_wrapper, escape_attrs, hyphenate_data_at
         value = Haml::Helpers.preserve(escaped)
         if escape_attrs
           # We want to decide whether or not to escape quotes
-          value = value.gsub('&quot;', '"')
+          value = value.gsub('&quot;', '"').gsub('&#x0022;', '"')
           this_attr_wrapper = attr_wrapper
           if value.include? attr_wrapper
             if value.include? other_quote_char

diff --git a/test/engine_test.rb b/test/engine_test.rb
@@ -1127,7 +1127,7 @@ def test_attr_wrapper
     assert_equal("<p strange=*attrs*></p>\n", render("%p{ :strange => 'attrs'}", :attr_wrapper => '*'))
     assert_equal("<p escaped='quo\"te'></p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
     assert_equal("<p escaped=\"quo'te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"q'uo&quot;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped=\"q'uo&#x0022;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
     assert_equal("<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n", render("!!! XML", :attr_wrapper => '"'))
   end
 
@@ -1511,7 +1511,7 @@ def test_html5_data_attributes_without_hyphenation
       render("%div{:data => {:one_plus_one => 1+1}}",
         :hyphenate_data_attrs => false))
 
-    assert_equal("<div data-foo='Here&apos;s a \"quoteful\" string.'></div>\n",
+    assert_equal("<div data-foo='Here&#x0027;s a \"quoteful\" string.'></div>\n",
       render(%{%div{:data => {:foo => %{Here's a "quoteful" string.}}}},
         :hyphenate_data_attrs => false)) #'
   end