fixup! Fix #11, #12: quote attributes that need escaping in legacy browsers

gsnedders · gsnedders · commit 8765511f333c · 2016-05-11T16:46:44.000-07:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -33,11 +33,12 @@ Released on XXX
 * **Use scripting disabled by default (as we don't implement
   scripting).**
 
-* Fix #11, avoiding the XSS bug potentially caused by serializer allowing
-  attribute values to be escaped out of in old browser versions, changing
-  the quote_attr_values option on serializer to take one of three values,
-  "always" (the old True value), "legacy" (the new option, and the new
-  default), and "spec" (the old False value, and the old default).
+* **Fix #11, avoiding the XSS bug potentially caused by serializer
+  allowing attribute values to be escaped out of in old browser versions,
+  changing the quote_attr_values option on serializer to take one of
+  three values, "always" (the old True value), "legacy" (the new option,
+  and the new default), and "spec" (the old False value, and the old
+  default).**
 
 
 0.9999999/1.0b8
diff --git a/html5lib/serializer/htmlserializer.py b/html5lib/serializer/htmlserializer.py
@@ -248,14 +248,11 @@ def serialize(self, treewalker, encoding=None):
                         (k not in booleanAttributes.get(name, tuple()) and
                          k not in booleanAttributes.get("", tuple())):
                         yield self.encodeStrict("=")
-                        if (self.quote_attr_values == "always" or
-                                self.quote_attr_values is True or
-                                len(v) == 0):
+                        if self.quote_attr_values == "always" or len(v) == 0:
                             quote_attr = True
                         elif self.quote_attr_values == "spec":
                             quote_attr = quoteAttributeSpec.search(v) is not None
-                        elif (self.quote_attr_values == "legacy" or
-                              self.quote_attr_values is False):
+                        elif self.quote_attr_values == "legacy":
                             quote_attr = quoteAttributeLegacy.search(v) is not None
                         else:
                             raise ValueError("quote_attr_values must be one of: "
diff --git a/html5lib/tests/serializer-testdata/options.test b/html5lib/tests/serializer-testdata/options.test
@@ -41,9 +41,9 @@
                     ]
                 ]
             ],
-            "description": "quote_attr_values=true",
+            "description": "quote_attr_values='always'",
             "options": {
-                "quote_attr_values": true
+                "quote_attr_values": "always"
             }
         },
         {
@@ -64,32 +64,9 @@
                     ]
                 ]
             ],
-            "description": "quote_attr_values=true with irrelevant",
+            "description": "quote_attr_values='always' with irrelevant",
             "options": {
-                "quote_attr_values": true
-            }
-        },
-        {
-            "expected": [
-                "<div class=\"foo\">"
-            ],
-            "input": [
-                [
-                    "StartTag",
-                    "http://www.w3.org/1999/xhtml",
-                    "div",
-                    [
-                        {
-                            "namespace": null,
-                            "name": "class",
-                            "value": "foo"
-                        }
-                    ]
-                ]
-            ],
-            "description": "non-minimized quote_attr_values=true",
-            "options": {
-                "quote_attr_values": true
+                "quote_attr_values": "always"
             }
         },
         {
