libhtml: escape attributes keys and values

author Jean Privat <jean@pryen.org>

Sat, 17 Aug 2013 03:55:53 +0000 (23:55 -0400)

committer Jean Privat <jean@pryen.org>

Sat, 17 Aug 2013 04:20:34 +0000 (00:20 -0400)
author Jean Privat <jean@pryen.org>
Sat, 17 Aug 2013 03:55:53 +0000 (23:55 -0400)
committer Jean Privat <jean@pryen.org>
Sat, 17 Aug 2013 04:20:34 +0000 (00:20 -0400)
diff --git a/lib/html.nit b/lib/html.nit

index eb35a18..c1f0c86 100644 (file)
--- a/lib/html.nit
+++ b/lib/html.nit
@@ -230,11 +230,11 @@ class HTMLTag
                 if attrs.has_key("class") or not classes.is_empty then
                         res.add " class=\""
                         for cls in classes do
                 if attrs.has_key("class") or not classes.is_empty then
                         res.add " class=\""
                         for cls in classes do
-                               res.add cls
+                               res.add cls.html_escape
                                 res.add " "
                         end
                         if attrs.has_key("class") then
                                 res.add " "
                         end
                         if attrs.has_key("class") then
-                               res.add attrs["class"]
+                               res.add attrs["class"].html_escape
                                 res.add " "
                         end
                         if res.last == " " then res.pop
                                 res.add " "
                         end
                         if res.last == " " then res.pop
@@ -244,13 +244,13 @@ class HTMLTag
                 if attrs.has_key("style") or not css_props.is_empty then
                         res.add " style=\""
                         for k, v in attrs do
                 if attrs.has_key("style") or not css_props.is_empty then
                         res.add " style=\""
                         for k, v in attrs do
-                               res.add k
+                               res.add k.html_escape
                                 res.add ": "
                                 res.add ": "
-                               res.add v
+                               res.add v.html_escape
                                 res.add "; "
                         end
                         if attrs.has_key("style") then
                                 res.add "; "
                         end
                         if attrs.has_key("style") then
-                               res.add(attrs["style"])
+                               res.add(attrs["style"].html_escape)
                         end
                         if res.last == "; " then res.pop
                         res.add "\""
                         end
                         if res.last == "; " then res.pop
                         res.add "\""
@@ -261,9 +261,9 @@ class HTMLTag
                 for key, value in attrs do
                         if key == "class" or key == "style" then continue
                         res.add " "
                 for key, value in attrs do
                         if key == "class" or key == "style" then continue
                         res.add " "
-                       res.add key
+                       res.add key.html_escape
                         res.add "=\""
                         res.add "=\""
-                       res.add value
+                       res.add value.html_escape
                         res.add "\""
                 end
         end
                         res.add "\""
                 end
         end
author	Jean Privat <jean@pryen.org>
	Sat, 17 Aug 2013 03:55:53 +0000 (23:55 -0400)
committer	Jean Privat <jean@pryen.org>
	Sat, 17 Aug 2013 04:20:34 +0000 (00:20 -0400)