Bugfix: invalid attribute values gave out-of-bounds

tdewolff · May 14, 2015 · b4161f8 · b4161f8
1 parent d0c4cdf
commit b4161f8
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/html/util.go b/html/util.go
@@ -41,19 +41,22 @@ func EscapeAttrVal(buf *[]byte, orig, b []byte) []byte {
 		return orig
 	}
 
+	n := len(b) + 2
 	var quote byte
 	var escapedQuote []byte
 	if doubles > singles {
+		n += singles * 4
 		quote = '\''
 		escapedQuote = singleQuoteEntityBytes
 	} else {
+		n += doubles * 4
 		quote = '"'
 		escapedQuote = doubleQuoteEntityBytes
 	}
-	if len(b)+2 > cap(*buf) {
-		*buf = make([]byte, 0, len(b)+2) // maximum size, not actual size
+	if n > cap(*buf) {
+		*buf = make([]byte, 0, n) // maximum size, not actual size
 	}
-	t := (*buf)[:len(b)+2] // maximum size, not actual size
+	t := (*buf)[:n] // maximum size, not actual size
 	t[0] = quote
 	j := 1
 	start := 0