fixup! Fix html5lib#11, html5lib#12: quote attributes that need escaping in legacy browsers

gsnedders · gsnedders · commit 9dac020dc698 · 2013-09-19T23:55:17.000+01:00
diff --git a/html5lib/serializer/htmlserializer.py b/html5lib/serializer/htmlserializer.py
@@ -13,8 +13,10 @@
 
 spaceCharacters = "".join(spaceCharacters)
 
-quoteAttributeSpec = re.compile("[" + spaceCharacters + "\"'=<>`]")
-quoteAttributeLegacy = re.compile("[\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n"
+quoteAttributeSpecChars = spaceCharacters + "\"'=<>`"
+quoteAttributeSpec = re.compile("[" + quoteAttributeSpecChars + "]")
+quoteAttributeLegacy = re.compile("[" + quoteAttributeSpecChars +
+                                  "\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n"
                                   "\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15"
                                   "\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
                                   "\x20\x2f\x60\xa0\u1680\u180e\u180f\u2000"
@@ -82,7 +84,7 @@ def htmlentityreplace_errors(exc):
 class HTMLSerializer(object):
 
     # attribute quoting options
-    quote_attr_values = "legacy"
+    quote_attr_values = "legacy"  # be secure by default
     quote_char = '"'
     use_best_quote_char = True
 
@@ -118,9 +120,9 @@ def __init__(self, **kwargs):
         inject_meta_charset=True|False
           Whether it insert a meta element to define the character set of the
           document.
-        quote_attr_values="legacy"|"spec"|True
+        quote_attr_values="legacy"|"spec"|"always"
           Whether to quote attribute values that don't require quoting
-          per legacy browser behaviour, HTML authoring rules, or always.
+          per legacy browser behaviour, when required by the standard, or always.
         quote_char=u'"'|u"'"
           Use given quote character for attribute quoting. Default is to
           use double quote unless attribute value contains a double quote,
@@ -249,10 +251,15 @@ def serialize(self, treewalker, encoding=None):
                         (k not in booleanAttributes.get(name, tuple())
                          and k not in booleanAttributes.get("", tuple())):
                         yield self.encodeStrict("=")
-                        if self.quote_attr_values or len(v) == 0:
+                        if self.quote_attr_values == "always" or len(v) == 0:
                             quote_attr = True
-                        elif :
-                            quoteAttributeSpec.search(v)
+                        elif self.quote_attr_values == "spec":
+                            quote_attr = quoteAttributeSpec.search(v) is not None
+                        elif self.quote_attr_values == "legacy":
+                            quote_attr = quoteAttributeLegacy.search(v) is not None
+                        else:
+                            raise ValueError("quote_attr_values must be one of: "
+                                             "'always', 'spec', or 'legacy'")
                         v = v.replace("&", "&amp;")
                         if self.escape_lt_in_attrs:
                             v = v.replace("<", "&lt;")
