Bugfix: invalid attribute values gave out-of-bounds

tdewolff · May 14, 2015 · 5bc9130 · 5bc9130
1 parent b4161f8
commit 5bc9130
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/html/util_test.go b/html/util_test.go
@@ -32,4 +32,5 @@ func TestAttrVal(t *testing.T) {
 	assertAttrVal(t, "'x&#x00022;z'", "'x\"z'")
 	assertAttrVal(t, "'x\"&gt;'", "'x\"&gt;'")
 	assertAttrVal(t, "You&#039;re encouraged to log in; however, it&#039;s not mandatory. [o]", "\"You're encouraged to log in; however, it's not mandatory. [o]\"")
+	assertAttrVal(t, "a'b=\"\"", "'a&#39;b=\"\"'")
 }
diff --git a/xml/util.go b/xml/util.go
@@ -29,19 +29,22 @@ func EscapeAttrVal(buf *[]byte, b []byte) []byte {
 		}
 	}
 
+	n := len(b) + 2
 	var quote byte
 	var escapedQuote []byte
 	if doubles > singles {
+		n += singles * 4
 		quote = '\''
 		escapedQuote = singleQuoteEntityBytes
 	} else {
+		n += doubles * 4
 		quote = '"'
 		escapedQuote = doubleQuoteEntityBytes
 	}
-	if len(b)+2 > cap(*buf) {
-		*buf = make([]byte, 0, len(b)+2) // maximum size, not actual size
+	if n > cap(*buf) {
+		*buf = make([]byte, 0, n) // maximum size, not actual size
 	}
-	t := (*buf)[:len(b)+2] // maximum size, not actual size
+	t := (*buf)[:n] // maximum size, not actual size
 	t[0] = quote
 	j := 1
 	start := 0

diff --git a/xml/util_test.go b/xml/util_test.go
@@ -19,4 +19,5 @@ func TestAttrVal(t *testing.T) {
 	assertAttrVal(t, "x&amp;z", "\"x&amp;z\"")
 	assertAttrVal(t, "x'z", "\"x'z\"")
 	assertAttrVal(t, "x\"z", "'x\"z'")
+	assertAttrVal(t, "a'b=\"\"", "'a&#39;b=\"\"'")
 }