From 287b0dad703751b2547d4723e7373b58816882b2 Mon Sep 17 00:00:00 2001
From: "bzbarsky@mit.edu" <bzbarsky@mit.edu>
Date: Fri, 14 Sep 2007 12:03:13 -0700
Subject: [PATCH] Fix serialization of '&' in "script" attribute values so that
 it round-trips correctly.  Bug 392511, r+sr=peterv, a=jst

---
 content/base/src/nsXMLContentSerializer.cpp | 22 ++++-----
 content/base/test/Makefile.in               |  1 +
 content/base/test/test_bug392511.html       | 54 +++++++++++++++++++++
 3 files changed, 66 insertions(+), 11 deletions(-)
 create mode 100644 content/base/test/test_bug392511.html

diff --git a/content/base/src/nsXMLContentSerializer.cpp b/content/base/src/nsXMLContentSerializer.cpp
index 19a04757a89f..09320ec10c20 100644
--- a/content/base/src/nsXMLContentSerializer.cpp
+++ b/content/base/src/nsXMLContentSerializer.cpp
@@ -529,7 +529,9 @@ nsXMLContentSerializer::SerializeAttr(const nsAString& aPrefix,
     // need to select the delimiter character and escape characters using
     // character entity references, ignoring the value of aDoEscapeEntities.
     // See http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2.2 for
-    // the standard on character entity references in values. 
+    // the standard on character entity references in values.  We also have to
+    // make sure to escape any '&' characters.
+    
     PRBool bIncludesSingle = PR_FALSE;
     PRBool bIncludesDouble = PR_FALSE;
     nsAString::const_iterator iCurr, iEnd;
@@ -565,18 +567,16 @@ nsXMLContentSerializer::SerializeAttr(const nsAString& aPrefix,
         (bIncludesDouble && !bIncludesSingle) ? PRUnichar('\'') : PRUnichar('"');
     AppendToString(PRUnichar('='), aStr);
     AppendToString(cDelimiter, aStr);
+    nsAutoString sValue(aValue);
+    sValue.ReplaceSubstring(NS_LITERAL_STRING("&"),
+                            NS_LITERAL_STRING("&amp;"));
     if (bIncludesDouble && bIncludesSingle) {
-      nsAutoString sValue(aValue);
-      sValue.ReplaceSubstring(NS_LITERAL_STRING("\"").get(), NS_LITERAL_STRING("&quot;").get());
-      mInAttribute = PR_TRUE;
-      AppendToString(sValue, aStr, PR_FALSE);
-      mInAttribute = PR_FALSE;
-    }
-    else {
-      mInAttribute = PR_TRUE;
-      AppendToString(aValue, aStr, PR_FALSE);
-      mInAttribute = PR_FALSE;
+      sValue.ReplaceSubstring(NS_LITERAL_STRING("\""),
+                              NS_LITERAL_STRING("&quot;"));
     }
+    mInAttribute = PR_TRUE;
+    AppendToString(sValue, aStr, PR_FALSE);
+    mInAttribute = PR_FALSE;
     AppendToString(cDelimiter, aStr);
   }
 }
diff --git a/content/base/test/Makefile.in b/content/base/test/Makefile.in
index fa56b4dcf9a7..d1f4d746b42e 100644
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@@ -87,6 +87,7 @@ _TEST_FILES = 	test_bug5141.html \
 		test_bug375314.html \
 		test_bug382113.html \
 		test_bug390735.html \
+		test_bug392511.html \
 		bug382113_object.html \
 		test_CrossSiteXHR.html \
 		file_CrossSiteXHR_fail1.xml \
diff --git a/content/base/test/test_bug392511.html b/content/base/test/test_bug392511.html
new file mode 100644
index 000000000000..c50994df12fe
--- /dev/null
+++ b/content/base/test/test_bug392511.html
@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=392511
+-->
+<head>
+  <title>Test for Bug 392511</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=392511">Mozilla Bug 392511</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <div id="t1"><span onclick="&quot;&amp;"></span></div>  
+  <div id="t2"><span foo="&quot;&amp;"></span></div>  
+  <div id="t3"><span onclick='&apos;&amp;'></span></div>  
+  <div id="t4"><span foo='&apos;&amp;'></span></div>  
+  <div id="t5"><span onclick='"&apos;&amp;'></span></div>  
+  <div id="t6"><span foo='"&apos;&amp;'></span></div>  
+  <div id="t7"><span onclick="'&quot;&amp;"></span></div>  
+  <div id="t8"><span foo="'&quot;&amp;"></span></div>  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 392511 **/
+
+var results = [
+ "'\"&amp;'",
+ "\"&quot;&amp;\"",
+ "\"'&amp;\"",
+ "\"'&amp;\"",
+ "\"&quot;'&amp;\"",
+ "\"&quot;'&amp;\"",
+ "\"'&quot;&amp;\"",
+ "\"'&quot;&amp;\""
+];
+ 
+for (var i = 1; i <= 8; ++i) {
+  var id = "t" + i;
+  var str = $(id).innerHTML;
+  var expect = "<span ";
+  expect += (i % 2) ? "onclick" : "foo";
+  expect += "=" + results[i-1] + "></span>";
+  is (str, expect, "Wrong string for test " + id);
+}
+
+</script>
+</pre>
+</body>
+</html>
+