don't escape characters in JS attributes; bug #68167

content/base/src/nsHTMLContentSerializer.cpp

@@ -302,7 +302,21 @@ nsHTMLContentSerializer::SerializeAttributes(nsIContent* aContent,
 
     attrName->ToString(nameStr);
     
-    SerializeAttr(nsAutoString(), nameStr, valueStr, aStr);
+    PRBool doTreatAsCDATA = 
+                 (attrName.get() == nsHTMLAtoms::onblur)      || (attrName.get() == nsHTMLAtoms::onchange)
+              || (attrName.get() == nsHTMLAtoms::onclick)     || (attrName.get() == nsHTMLAtoms::ondblclick)
+              || (attrName.get() == nsHTMLAtoms::onfocus)     || (attrName.get() == nsHTMLAtoms::onkeydown)
+              || (attrName.get() == nsHTMLAtoms::onkeypress)  || (attrName.get() == nsHTMLAtoms::onkeyup)
+              || (attrName.get() == nsHTMLAtoms::onload)      || (attrName.get() == nsHTMLAtoms::onmousedown)
+              || (attrName.get() == nsHTMLAtoms::onmousemove) || (attrName.get() == nsHTMLAtoms::onmouseout)
+              || (attrName.get() == nsHTMLAtoms::onmouseover) || (attrName.get() == nsHTMLAtoms::onmouseup)
+              || (attrName.get() == nsHTMLAtoms::onreset)     || (attrName.get() == nsHTMLAtoms::onselect)
+              || (attrName.get() == nsHTMLAtoms::onsubmit)    || (attrName.get() == nsHTMLAtoms::onunload)
+              || (attrName.get() == nsHTMLAtoms::onabort)     || (attrName.get() == nsHTMLAtoms::onerror)
+              || (attrName.get() == nsHTMLAtoms::onpaint)     || (attrName.get() == nsHTMLAtoms::onresize)
+              || (attrName.get() == nsHTMLAtoms::onscroll);
+
+    SerializeAttr(nsAutoString(), nameStr, valueStr, aStr, !doTreatAsCDATA);
   }
 }
 
@@ -678,6 +692,8 @@ nsHTMLContentSerializer::LineBreakBeforeOpen(nsIAtom* aName,
       aName == nsHTMLAtoms::meta  ||
       aName == nsHTMLAtoms::link  ||
       aName == nsHTMLAtoms::style ||
+      aName == nsHTMLAtoms::select ||
+      aName == nsHTMLAtoms::option ||
       aName == nsHTMLAtoms::script ||
       aName == nsHTMLAtoms::html) {
     return PR_TRUE;
@@ -723,6 +739,7 @@ nsHTMLContentSerializer::LineBreakAfterOpen(nsIAtom* aName,
       (aName == nsHTMLAtoms::meta) ||
       (aName == nsHTMLAtoms::link) ||
       (aName == nsHTMLAtoms::script) ||
+      (aName == nsHTMLAtoms::select) ||
       (aName == nsHTMLAtoms::img) ||
       (aName == nsHTMLAtoms::map) ||
       (aName == nsHTMLAtoms::area) ||
@@ -748,6 +765,7 @@ nsHTMLContentSerializer::LineBreakBeforeClose(nsIAtom* aName,
       (aName == nsHTMLAtoms::ul) ||
       (aName == nsHTMLAtoms::ol) ||
       (aName == nsHTMLAtoms::dl) ||
+      (aName == nsHTMLAtoms::select) ||
       (aName == nsHTMLAtoms::table) ||
       (aName == nsHTMLAtoms::tbody)) {
     return PR_TRUE;
@@ -772,11 +790,14 @@ nsHTMLContentSerializer::LineBreakAfterClose(nsIAtom* aName,
       (aName == nsHTMLAtoms::th) ||
       (aName == nsHTMLAtoms::td) ||
       (aName == nsHTMLAtoms::pre) ||
+      (aName == nsHTMLAtoms::a) ||
       (aName == nsHTMLAtoms::title) ||
       (aName == nsHTMLAtoms::li) ||
       (aName == nsHTMLAtoms::dt) ||
       (aName == nsHTMLAtoms::dd) ||
       (aName == nsHTMLAtoms::blockquote) ||
+      (aName == nsHTMLAtoms::select) ||
+      (aName == nsHTMLAtoms::option) ||
       (aName == nsHTMLAtoms::p) ||
       (aName == nsHTMLAtoms::map) ||
       (aName == nsHTMLAtoms::div)) {

content/base/src/nsXMLContentSerializer.cpp

@@ -357,7 +357,8 @@ void
 nsXMLContentSerializer::SerializeAttr(const nsAReadableString& aPrefix,
                                       const nsAReadableString& aName,
                                       const nsAReadableString& aValue,
-                                      nsAWritableString& aStr)
+                                      nsAWritableString& aStr,
+                                      PRBool aDoEscapeEntities)
 {
   AppendToString(PRUnichar(' '), aStr);
   if (aPrefix.Length() > 0) {
@@ -369,7 +370,7 @@ nsXMLContentSerializer::SerializeAttr(const nsAReadableString& aPrefix,
   AppendToString(NS_LITERAL_STRING("=\""), aStr);
 
   mInAttribute = PR_TRUE;
-  AppendToString(aValue, aStr, PR_TRUE);
+  AppendToString(aValue, aStr, aDoEscapeEntities);
   mInAttribute = PR_FALSE;
 
   AppendToString(NS_LITERAL_STRING("\""), aStr);
@@ -451,7 +452,7 @@ nsXMLContentSerializer::AppendElementStart(nsIDOMElement *aElement,
   // If we had to add a new namespace declaration, serialize
   // and push it on the namespace stack
   if (addNSAttr) {
-    SerializeAttr(xmlnsStr, tagPrefix, tagNamespaceURI, aStr);
+    SerializeAttr(xmlnsStr, tagPrefix, tagNamespaceURI, aStr, PR_TRUE);
     PushNameSpaceDecl(tagPrefix, tagNamespaceURI, aElement);
   }
 
@@ -488,10 +489,10 @@ nsXMLContentSerializer::AppendElementStart(nsIDOMElement *aElement,
     
     if (elementNamespaceID == kNameSpaceID_HTML && nameStr.Equals(NS_LITERAL_STRING("xmlns:xmlns")))
       nameStr.Assign(kXMLNS); // XXX Shouldn't need this hack, breaks case where there really is xmlns:xmlns
-    SerializeAttr(prefixStr, nameStr, valueStr, aStr);
+    SerializeAttr(prefixStr, nameStr, valueStr, aStr, PR_TRUE);
     
     if (addNSAttr) {
-      SerializeAttr(xmlnsStr, prefixStr, uriStr, aStr);
+      SerializeAttr(xmlnsStr, prefixStr, uriStr, aStr, PR_TRUE);
       PushNameSpaceDecl(prefixStr, uriStr, aElement);
     }
   }

content/base/src/nsXMLContentSerializer.h

@@ -91,7 +91,8 @@ class nsXMLContentSerializer : public nsIContentSerializer {
   void SerializeAttr(const nsAReadableString& aPrefix,
                      const nsAReadableString& aName,
                      const nsAReadableString& aValue,
-                     nsAWritableString& aStr);
+                     nsAWritableString& aStr,
+                     PRBool aDoEscapeEntities);
 
   PRInt32 mPrefixIndex;
   nsVoidArray mNameSpaceStack;

content/html/content/src/nsHTMLAtomList.h

@@ -306,3 +306,28 @@ HTML_ATOM(moz_tristatevalue, "moz-tristatevalue")
 HTML_ATOM(iform, "IForm")
 HTML_ATOM(form_control_list, "FormControlList")
 #endif
+
+HTML_ATOM(onblur, "onblur")
+HTML_ATOM(onchange, "onchange")
+HTML_ATOM(onclick, "onclick")
+HTML_ATOM(ondblclick, "ondblclick")
+HTML_ATOM(onfocus, "onfocus")
+HTML_ATOM(onkeydown, "onkeydown")
+HTML_ATOM(onkeypress, "onkeypress")
+HTML_ATOM(onkeyup, "onkeyup")
+HTML_ATOM(onload, "onload")
+HTML_ATOM(onmousedown, "onmousedown")
+HTML_ATOM(onmousemove, "onmousemove")
+HTML_ATOM(onmouseout, "onmouseout")
+HTML_ATOM(onmouseover, "onmouseover")
+HTML_ATOM(onmouseup, "onmouseup")
+HTML_ATOM(onreset, "onreset")
+HTML_ATOM(onselect, "onselect")
+HTML_ATOM(onsubmit, "onsubmit")
+HTML_ATOM(onunload, "onunload")
+HTML_ATOM(onabort, "onabort")
+HTML_ATOM(onerror, "onerror")
+HTML_ATOM(onpaint, "onpaint")
+HTML_ATOM(onresize, "onresize")
+HTML_ATOM(onscroll, "onscroll")
+

content/shared/public/nsHTMLAtomList.h

@@ -306,3 +306,28 @@ HTML_ATOM(moz_tristatevalue, "moz-tristatevalue")
 HTML_ATOM(iform, "IForm")
 HTML_ATOM(form_control_list, "FormControlList")
 #endif
+
+HTML_ATOM(onblur, "onblur")
+HTML_ATOM(onchange, "onchange")
+HTML_ATOM(onclick, "onclick")
+HTML_ATOM(ondblclick, "ondblclick")
+HTML_ATOM(onfocus, "onfocus")
+HTML_ATOM(onkeydown, "onkeydown")
+HTML_ATOM(onkeypress, "onkeypress")
+HTML_ATOM(onkeyup, "onkeyup")
+HTML_ATOM(onload, "onload")
+HTML_ATOM(onmousedown, "onmousedown")
+HTML_ATOM(onmousemove, "onmousemove")
+HTML_ATOM(onmouseout, "onmouseout")
+HTML_ATOM(onmouseover, "onmouseover")
+HTML_ATOM(onmouseup, "onmouseup")
+HTML_ATOM(onreset, "onreset")
+HTML_ATOM(onselect, "onselect")
+HTML_ATOM(onsubmit, "onsubmit")
+HTML_ATOM(onunload, "onunload")
+HTML_ATOM(onabort, "onabort")
+HTML_ATOM(onerror, "onerror")
+HTML_ATOM(onpaint, "onpaint")
+HTML_ATOM(onresize, "onresize")
+HTML_ATOM(onscroll, "onscroll")
+