Fix #22: Proper escaping of attribute values

Author: sibprogrammer

internal/utils/utils.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"bytes"
 	"encoding/xml"
 	"fmt"
 	"github.com/PuerkitoBio/goquery"
@@ -85,7 +86,9 @@ func FormatXml(reader io.Reader, writer io.Writer, indent string, colors int) er
 				if attr.Name.Local == "xmlns" {
 					nsAliases[attr.Value] = ""
 				}
-				attrs = append(attrs, getTokenFullName(attr.Name, nsAliases)+attrColor("=\""+attr.Value+"\""))
+				escapedValue, _ := escapeText(attr.Value)
+				attrElement := getTokenFullName(attr.Name, nsAliases) + attrColor("=\""+escapedValue+"\"")
+				attrs = append(attrs, attrElement)
 			}
 			attrsStr := strings.Join(attrs, " ")
 			if attrsStr != "" {
@@ -248,7 +251,8 @@ func FormatHtml(reader io.Reader, writer io.Writer, indent string, colors int) e
 			if hasAttr {
 				for {
 					attrKey, attrValue, moreAttr := tokenizer.TagAttr()
-					attrs = append(attrs, string(attrKey)+attrColor("=\""+string(attrValue)+"\""))
+					escapedValue, _ := escapeText(string(attrValue))
+					attrs = append(attrs, string(attrKey)+attrColor("=\""+escapedValue+"\""))
 					if !moreAttr {
 						break
 					}
@@ -360,3 +364,16 @@ func getSelfClosingTags() map[string]bool {
 		"wbr":    true,
 	}
 }
+
+func escapeText(input string) (string, error) {
+	buf := new(bytes.Buffer)
+	if err := xml.EscapeText(buf, []byte(input)); err != nil {
+		return "", err
+	}
+
+	result := buf.String()
+	result = strings.Replace(result, """, """, -1)
+	result = strings.Replace(result, "'", "'", -1)
+
+	return result, nil
+}

internal/utils/utils_test.go

@@ -22,15 +22,16 @@ func getFileReader(filename string) io.Reader {
 
 func TestFormatXml(t *testing.T) {
 	files := map[string]string{
-		"unformatted.xml":  "formatted.xml",
-		"unformatted2.xml": "formatted2.xml",
-		"unformatted3.xml": "formatted3.xml",
-		"unformatted4.xml": "formatted4.xml",
-		"unformatted5.xml": "formatted5.xml",
-		"unformatted6.xml": "formatted6.xml",
-		"unformatted7.xml": "formatted7.xml",
-		"unformatted8.xml": "formatted8.xml",
-		"unformatted9.xml": "formatted9.xml",
+		"unformatted.xml":   "formatted.xml",
+		"unformatted2.xml":  "formatted2.xml",
+		"unformatted3.xml":  "formatted3.xml",
+		"unformatted4.xml":  "formatted4.xml",
+		"unformatted5.xml":  "formatted5.xml",
+		"unformatted6.xml":  "formatted6.xml",
+		"unformatted7.xml":  "formatted7.xml",
+		"unformatted8.xml":  "formatted8.xml",
+		"unformatted9.xml":  "formatted9.xml",
+		"unformatted10.xml": "formatted10.xml",
 	}
 
 	for unformattedFile, expectedFile := range files {
@@ -53,6 +54,7 @@ func TestFormatHtml(t *testing.T) {
 		"unformatted2.html": "formatted2.html",
 		"unformatted3.html": "formatted3.html",
 		"unformatted4.html": "formatted4.html",
+		"unformatted5.html": "formatted5.html",
 		"unformatted.xml":   "formatted.xml",
 	}
 
@@ -102,3 +104,9 @@ func TestPagerPrint(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Contains(t, output.String(), "<html>")
 }
+
+func TestEscapeText(t *testing.T) {
+	result, err := escapeText("\"value\"")
+	assert.Nil(t, err)
+	assert.Equal(t, "&quot;value&quot;", result)
+}

test/data/html/formatted5.html

@@ -0,0 +1,3 @@
+<html>
+  <tag attr="GetParam(&quot;HASH_VALUE_SHARING_MODE&quot;) != 1"></tag>
+</html>

test/data/html/unformatted5.html

@@ -0,0 +1,3 @@
+<html >
+  <tag attr="GetParam(&quot;HASH_VALUE_SHARING_MODE&quot;) != 1"></tag>
+</html>

test/data/xml/formatted10.xml

@@ -0,0 +1,3 @@
+<root>
+  <SEQUENCE mandatory="FALSE" precondition="GetParam(&quot;HASH_VALUE_SHARING_MODE&quot;) != 1"/>
+</root>

test/data/xml/unformatted10.xml

@@ -0,0 +1,3 @@
+<root>
+  <SEQUENCE mandatory="FALSE" precondition="GetParam(&quot;HASH_VALUE_SHARING_MODE&quot;) != 1"/>
+</root>