bug #40209 [WebLink] Escape double quotes in attributes values (fancyweb)

fabpot · fabpot · commit f8ce7d0803a7 · 2021-02-16T13:01:27.000+01:00
This PR was merged into the 4.4 branch. Discussion ---------- [WebLink] Escape double quotes in attributes values | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - If the attribute value contains a double quote, the serialized value is invalid: `</foo>; rel="alternate"; title="foo " bar"`. Ideally we would use `addcslashes` but we can't because users that already pass escaped values would then be impacted. Commits ------- 7946be2 [WebLink] Escape double quotes in attributes values
diff --git a/src/Symfony/Component/WebLink/HttpHeaderSerializer.php b/src/Symfony/Component/WebLink/HttpHeaderSerializer.php
@@ -39,14 +39,14 @@ public function serialize(iterable $links): ?string
             foreach ($link->getAttributes() as $key => $value) {
                 if (\is_array($value)) {
                     foreach ($value as $v) {
-                        $attributesParts[] = sprintf('%s="%s"', $key, $v);
+                        $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $v));
                     }
 
                     continue;
                 }
 
                 if (!\is_bool($value)) {
-                    $attributesParts[] = sprintf('%s="%s"', $key, $value);
+                    $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $value));
 
                     continue;
                 }
diff --git a/src/Symfony/Component/WebLink/Tests/HttpHeaderSerializerTest.php b/src/Symfony/Component/WebLink/Tests/HttpHeaderSerializerTest.php
@@ -44,4 +44,12 @@ public function testSerializeEmpty()
     {
         $this->assertNull($this->serializer->serialize([]));
     }
+
+    public function testSerializeDoubleQuotesInAttributeValue()
+    {
+        $this->assertSame('</foo>; rel="alternate"; title="\"escape me\" \"already escaped\" \"\"\""', $this->serializer->serialize([
+            (new Link('alternate', '/foo'))
+                ->withAttribute('title', '"escape me" \"already escaped\" ""\"'),
+        ]));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,14 +39,14 @@ public function serialize(iterable $links): ?string`
`39`	`39`	`foreach ($link->getAttributes() as $key => $value) {`
`40`	`40`	`if (\is_array($value)) {`
`41`	`41`	`foreach ($value as $v) {`
`42`		`- $attributesParts[] = sprintf('%s="%s"', $key, $v);`
	`42`	`+ $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $v));`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`continue;`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`if (!\is_bool($value)) {`
`49`		`- $attributesParts[] = sprintf('%s="%s"', $key, $value);`
	`49`	`+ $attributesParts[] = sprintf('%s="%s"', $key, preg_replace('/(?<!\\\\)"/', '\"', $value));`
`50`	`50`
`51`	`51`	`continue;`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,12 @@ public function testSerializeEmpty()`
`44`	`44`	`{`
`45`	`45`	`$this->assertNull($this->serializer->serialize([]));`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ public function testSerializeDoubleQuotesInAttributeValue()`
	`49`	`+ {`
	`50`	`+ $this->assertSame('</foo>; rel="alternate"; title="\"escape me\" \"already escaped\" \"\"\""', $this->serializer->serialize([`
	`51`	`+ (new Link('alternate', '/foo'))`
	`52`	`+ ->withAttribute('title', '"escape me" \"already escaped\" ""\"'),`
	`53`	`+ ]));`
	`54`	`+ }`
`47`	`55`	`}`