Fix serialization of '&' in "script" attribute values so that it round-trips correctly. Bug 392511, r+sr=peterv, a=jst

content/base/src/nsXMLContentSerializer.cpp

@@ -529,7 +529,9 @@ nsXMLContentSerializer::SerializeAttr(const nsAString& aPrefix,
     // need to select the delimiter character and escape characters using
     // character entity references, ignoring the value of aDoEscapeEntities.
     // See http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2.2 for
-    // the standard on character entity references in values. 
+    // the standard on character entity references in values.  We also have to
+    // make sure to escape any '&' characters.
+    
     PRBool bIncludesSingle = PR_FALSE;
     PRBool bIncludesDouble = PR_FALSE;
     nsAString::const_iterator iCurr, iEnd;
@@ -565,18 +567,16 @@ nsXMLContentSerializer::SerializeAttr(const nsAString& aPrefix,
         (bIncludesDouble && !bIncludesSingle) ? PRUnichar('\'') : PRUnichar('"');
     AppendToString(PRUnichar('='), aStr);
     AppendToString(cDelimiter, aStr);
+    nsAutoString sValue(aValue);
+    sValue.ReplaceSubstring(NS_LITERAL_STRING("&"),
+                            NS_LITERAL_STRING("&"));
     if (bIncludesDouble && bIncludesSingle) {
-      nsAutoString sValue(aValue);
-      sValue.ReplaceSubstring(NS_LITERAL_STRING("\"").get(), NS_LITERAL_STRING(""").get());
-      mInAttribute = PR_TRUE;
-      AppendToString(sValue, aStr, PR_FALSE);
-      mInAttribute = PR_FALSE;
-    }
-    else {
-      mInAttribute = PR_TRUE;
-      AppendToString(aValue, aStr, PR_FALSE);
-      mInAttribute = PR_FALSE;
+      sValue.ReplaceSubstring(NS_LITERAL_STRING("\""),
+                              NS_LITERAL_STRING("""));
     }
+    mInAttribute = PR_TRUE;
+    AppendToString(sValue, aStr, PR_FALSE);
+    mInAttribute = PR_FALSE;
     AppendToString(cDelimiter, aStr);
   }
 }

content/base/test/Makefile.in

@@ -87,6 +87,7 @@ _TEST_FILES = 	test_bug5141.html \
 		test_bug375314.html \
 		test_bug382113.html \
 		test_bug390735.html \
+		test_bug392511.html \
 		bug382113_object.html \
 		test_CrossSiteXHR.html \
 		file_CrossSiteXHR_fail1.xml \

content/base/test/test_bug392511.html

@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=392511
+-->
+<head>
+  <title>Test for Bug 392511</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=392511">Mozilla Bug 392511</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <div id="t1"><span onclick="&quot;&amp;"></span></div>  
+  <div id="t2"><span foo="&quot;&amp;"></span></div>  
+  <div id="t3"><span onclick='&apos;&amp;'></span></div>  
+  <div id="t4"><span foo='&apos;&amp;'></span></div>  
+  <div id="t5"><span onclick='"&apos;&amp;'></span></div>  
+  <div id="t6"><span foo='"&apos;&amp;'></span></div>  
+  <div id="t7"><span onclick="'&quot;&amp;"></span></div>  
+  <div id="t8"><span foo="'&quot;&amp;"></span></div>  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 392511 **/
+
+var results = [
+ "'\"&amp;'",
+ "\"&quot;&amp;\"",
+ "\"'&amp;\"",
+ "\"'&amp;\"",
+ "\"&quot;'&amp;\"",
+ "\"&quot;'&amp;\"",
+ "\"'&quot;&amp;\"",
+ "\"'&quot;&amp;\""
+];
+ 
+for (var i = 1; i <= 8; ++i) {
+  var id = "t" + i;
+  var str = $(id).innerHTML;
+  var expect = "<span ";
+  expect += (i % 2) ? "onclick" : "foo";
+  expect += "=" + results[i-1] + "></span>";
+  is (str, expect, "Wrong string for test " + id);
+}
+
+</script>
+</pre>
+</body>
+</html>
+