Fix html5lib#11, html5lib#12: quote attributes that need escaping in legacy browsers

gsnedders · gsnedders · commit a337d3b08b50 · 2013-07-19T23:15:47.000+01:00
These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
diff --git a/html5lib/serializer/htmlserializer.py b/html5lib/serializer/htmlserializer.py
@@ -14,6 +14,13 @@
 spaceCharacters = "".join(spaceCharacters)
 
 quoteAttributeSpec = re.compile("[" + spaceCharacters + "\"'=<>`]")
+quoteAttributeLegacy = re.compile("[\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n"
+                                  "\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15"
+                                  "\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+                                  "\x20\x2f\x60\xa0\u1680\u180e\u180f\u2000"
+                                  "\u2001\u2002\u2003\u2004\u2005\u2006\u2007"
+                                  "\u2008\u2009\u200a\u2028\u2029\u202f\u205f"
+                                  "\u3000]")
 
 try:
     from codecs import register_error, xmlcharrefreplace_errors
@@ -75,7 +82,7 @@ def htmlentityreplace_errors(exc):
 class HTMLSerializer(object):
 
     # attribute quoting options
-    quote_attr_values = False
+    quote_attr_values = "legacy"
     quote_char = '"'
     use_best_quote_char = True
 
@@ -111,9 +118,9 @@ def __init__(self, **kwargs):
         inject_meta_charset=True|False
           Whether it insert a meta element to define the character set of the
           document.
-        quote_attr_values=True|False
+        quote_attr_values="legacy"|"spec"|True
           Whether to quote attribute values that don't require quoting
-          per HTML5 parsing rules.
+          per legacy browser behaviour, HTML authoring rules, or always.
         quote_char=u'"'|u"'"
           Use given quote character for attribute quoting. Default is to
           use double quote unless attribute value contains a double quote,
@@ -242,10 +249,10 @@ def serialize(self, treewalker, encoding=None):
                         (k not in booleanAttributes.get(name, tuple())
                          and k not in booleanAttributes.get("", tuple())):
                         yield self.encodeStrict("=")
-                        if self.quote_attr_values:
+                        if self.quote_attr_values or len(v) == 0:
                             quote_attr = True
-                        else:
-                            quote_attr = len(v) == 0 or quoteAttributeSpec.search(v)
+                        elif :
+                            quoteAttributeSpec.search(v)
                         v = v.replace("&", "&amp;")
                         if self.escape_lt_in_attrs:
                             v = v.replace("<", "&lt;")
