#! /bin/sh /usr/share/dpatch/dpatch-run ## ie_innerhtml_backticks.dpatch by Francois Marier ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fix Internet Explorer innerHTML bug (0dd9e4faf43e69ef05d30902317b09597eb14291) @DPATCH@ --- a/htdocs/lib/htmlpurifier/HTMLPurifier/Generator.php +++ b/htdocs/lib/htmlpurifier/HTMLPurifier/Generator.php @@ -192,6 +192,35 @@ class HTMLPurifier_Generator continue; } } + // Workaround for Internet Explorer innerHTML bug. + // Essentially, Internet Explorer, when calculating + // innerHTML, omits quotes if there are no instances of + // angled brackets, quotes or spaces. However, when parsing + // HTML (for example, when you assign to innerHTML), it + // treats backticks as quotes. Thus, + // `` + // becomes + // `` + // becomes + // + // Fortunately, all we need to do is trigger an appropriate + // quoting style, which we do by adding an extra space. + // This also is consistent with the W3C spec, which states + // that user agents may ignore leading or trailing + // whitespace (in fact, most don't, at least for attributes + // like alt, but an extra space at the end is barely + // noticeable). Still, we have a configuration knob for + // this, since this transformation is not necesary if you + // don't process user input with innerHTML or you don't plan + // on supporting Internet Explorer. + if (strpos($value, '`') !== false) { + // check if correct quoting style would not already be + // triggered + if (strcspn($value, '"\' <>') === strlen($value)) { + // protect! + $value .= ' '; + } + } $html .= $key.'="'.$this->escape($value).'" '; } return rtrim($html);