From 8ee21588f3b8f888a3876d8a63e2ebbccecf50e6 Mon Sep 17 00:00:00 2001
From: Carsten  Rose <carsten.rose@math.uzh.ch>
Date: Thu, 12 May 2016 18:08:12 +0200
Subject: [PATCH] Escape double ticks in HTML attributes in general.
 Support.php: added ecapeDoubleTick()

---
 extension/qfq/qfq/helper/Support.php        | 24 +++++++++++-
 extension/qfq/tests/phpunit/SupportTest.php | 41 +++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/extension/qfq/qfq/helper/Support.php b/extension/qfq/qfq/helper/Support.php
index 6bf614400..0a2257542 100644
--- a/extension/qfq/qfq/helper/Support.php
+++ b/extension/qfq/qfq/helper/Support.php
@@ -106,7 +106,29 @@ class Support {
                 break;
         }
 
-        return $type . '="' . trim($value) . '" ';
+        $value = self::escapeDoubleTick(trim($value));
+        return $type . '="' . $value . '" ';
+    }
+
+    /**
+     * Escapes Double Ticks ("), which are not already escaped.
+     *
+     * @param $str
+     * @return string
+     */
+    public static function escapeDoubleTick($str) {
+        $newStr = '';
+
+        for ($ii = 0; $ii < strlen($str); $ii++) {
+            if ($str[$ii] === '"') {
+                if ($ii === 0 || $str[$ii - 1] != '\\') {
+                    $newStr .= '\\';
+                }
+            }
+            $newStr .= $str[$ii];
+        }
+
+        return $newStr;
     }
 
     /**
diff --git a/extension/qfq/tests/phpunit/SupportTest.php b/extension/qfq/tests/phpunit/SupportTest.php
index 2b11c43c7..1b8c7ddef 100644
--- a/extension/qfq/tests/phpunit/SupportTest.php
+++ b/extension/qfq/tests/phpunit/SupportTest.php
@@ -349,6 +349,47 @@ class SupportTest extends \PHPUnit_Framework_TestCase {
         $this->assertEquals(['id' => 2], $new);
 
     }
+
+    public function testEscapeDoubleTick() {
+        // empty string
+        $new = Support::escapeDoubleTick('');
+        $this->assertEquals('', $new);
+
+        // nothing to replace
+        $new = Support::escapeDoubleTick('hello world');
+        $this->assertEquals('hello world', $new);
+
+        // last word
+        $new = Support::escapeDoubleTick('hello "world"');
+        $this->assertEquals('hello \\"world\\"', $new);
+
+        // first word
+        $new = Support::escapeDoubleTick('"hello" world');
+        $this->assertEquals('\\"hello\\" world', $new);
+
+        // just "
+        $new = Support::escapeDoubleTick('"');
+        $this->assertEquals('\\"', $new);
+
+        // just \"
+        $new = Support::escapeDoubleTick('\\"');
+        $this->assertEquals('\\"', $new);
+
+        // already escaped: middle
+        $new = Support::escapeDoubleTick('hello \\"T world');
+        $this->assertEquals('hello \\"T world', $new);
+
+        // already escaped: start
+        $new = Support::escapeDoubleTick('\\"T hello world');
+        $this->assertEquals('\\"T hello world', $new);
+
+        // already escaped: end
+        $new = Support::escapeDoubleTick('hello world \\"');
+        $this->assertEquals('hello world \\"', $new);
+
+
+    }
+
     protected function setUp() {
         parent::setUp();
 
-- 
GitLab