Escape double ticks in HTML attributes in general.

Support.php: added ecapeDoubleTick()

Escape double ticks in HTML attributes in general.
Support.php: added ecapeDoubleTick()
8ee21588 · Carsten Rose · 1d947296 · 8ee21588 · 8ee21588
Commit 8ee21588 authored May 12, 2016 by Carsten Rose
--- a/extension/qfq/qfq/helper/Support.php
+++ b/extension/qfq/qfq/helper/Support.php
@@ -106,7 +106,29 @@ class Support {
                break;
        }

-        return $type . '="' . trim($value) . '" ';
+        $value = self::escapeDoubleTick(trim($value));
+        return $type . '="' . $value . '" ';
+    }
+
+    /**
+     * Escapes Double Ticks ("), which are not already escaped.
+     *
+     * @param $str
+     * @return string
+     */
+    public static function escapeDoubleTick($str) {
+        $newStr = '';
+
+        for ($ii = 0; $ii < strlen($str); $ii++) {
+            if ($str[$ii] === '"') {
+                if ($ii === 0 || $str[$ii - 1] != '\\') {
+                    $newStr .= '\\';
+                }
+            }
+            $newStr .= $str[$ii];
+        }
+
+        return $newStr;
    }

    /**

--- a/extension/qfq/tests/phpunit/SupportTest.php
+++ b/extension/qfq/tests/phpunit/SupportTest.php
@@ -349,6 +349,47 @@ class SupportTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals(['id' => 2], $new);

    }
+
+    public function testEscapeDoubleTick() {
+        // empty string
+        $new = Support::escapeDoubleTick('');
+        $this->assertEquals('', $new);
+
+        // nothing to replace
+        $new = Support::escapeDoubleTick('hello world');
+        $this->assertEquals('hello world', $new);
+
+        // last word
+        $new = Support::escapeDoubleTick('hello "world"');
+        $this->assertEquals('hello \\"world\\"', $new);
+
+        // first word
+        $new = Support::escapeDoubleTick('"hello" world');
+        $this->assertEquals('\\"hello\\" world', $new);
+
+        // just "
+        $new = Support::escapeDoubleTick('"');
+        $this->assertEquals('\\"', $new);
+
+        // just \"
+        $new = Support::escapeDoubleTick('\\"');
+        $this->assertEquals('\\"', $new);
+
+        // already escaped: middle
+        $new = Support::escapeDoubleTick('hello \\"T world');
+        $this->assertEquals('hello \\"T world', $new);
+
+        // already escaped: start
+        $new = Support::escapeDoubleTick('\\"T hello world');
+        $this->assertEquals('\\"T hello world', $new);
+
+        // already escaped: end
+        $new = Support::escapeDoubleTick('hello world \\"');
+        $this->assertEquals('hello world \\"', $new);
+
+
+    }
+
    protected function setUp() {
        parent::setUp();