[WebLink] Escape double quotes in attributes values

fancyweb · fancyweb · commit b8d46e59e3d4 · 2021-02-16T12:01:18.000+01:00
diff --git a/HttpHeaderSerializer.php b/HttpHeaderSerializer.php
@@ -39,14 +39,14 @@ public function serialize(iterable $links): ?string
             foreach ($link->getAttributes() as $key => $value) {
                 if (\is_array($value)) {
                     foreach ($value as $v) {
-                        $attributesParts[] = sprintf('%s="%s"', $key, $v);
+                        $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $v));
                     }
 
                     continue;
                 }
 
                 if (!\is_bool($value)) {
-                    $attributesParts[] = sprintf('%s="%s"', $key, $value);
+                    $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $value));
 
                     continue;
                 }
diff --git a/Tests/HttpHeaderSerializerTest.php b/Tests/HttpHeaderSerializerTest.php
@@ -44,4 +44,12 @@ public function testSerializeEmpty()
     {
         $this->assertNull($this->serializer->serialize([]));
     }
+
+    public function testSerializeDoubleQuotesInAttributeValue()
+    {
+        $this->assertSame('</foo>; rel="alternate"; title="\"escape me\" \"already escaped\" \"\"\""', $this->serializer->serialize([
+            (new Link('alternate', '/foo'))
+                ->withAttribute('title', '"escape me" \"already escaped\" ""\"'),
+        ]));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,14 +39,14 @@ public function serialize(iterable $links): ?string`
`39`	`39`	`foreach ($link->getAttributes() as $key => $value) {`
`40`	`40`	`if (\is_array($value)) {`
`41`	`41`	`foreach ($value as $v) {`
`42`		`- $attributesParts[] = sprintf('%s="%s"', $key, $v);`
	`42`	`+ $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $v));`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`continue;`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`if (!\is_bool($value)) {`
`49`		`- $attributesParts[] = sprintf('%s="%s"', $key, $value);`
	`49`	`+ $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $value));`
`50`	`50`
`51`	`51`	`continue;`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,12 @@ public function testSerializeEmpty()`
`44`	`44`	`{`
`45`	`45`	`$this->assertNull($this->serializer->serialize([]));`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ public function testSerializeDoubleQuotesInAttributeValue()`
	`49`	`+ {`
	`50`	`+ $this->assertSame('</foo>; rel="alternate"; title="\"escape me\" \"already escaped\" \"\"\""', $this->serializer->serialize([`
	`51`	`+ (new Link('alternate', '/foo'))`
	`52`	`+ ->withAttribute('title', '"escape me" \"already escaped\" ""\"'),`
	`53`	`+ ]));`
	`54`	`+ }`
`47`	`55`	`}`