FIX We still need XML escaping on href attributes in HTML4Value

model/HTMLValue.php

@@ -52,7 +52,7 @@ abstract class SS_HTMLValue extends ViewableData {
 
 		// Then replace the saved attributes with their original versions
 		$res = preg_replace_callback('/__HTMLVALUE_(\d+)/', function($matches) use ($attrs) {
-			return $attrs[$matches[0]];
+			return Convert::raw2att($attrs[$matches[0]]);
 		}, $res);
 
 		return $res;

tests/integration/HTML4ValueTest.php

@@ -58,4 +58,13 @@ class SS_HTML4ValueTest extends SapphireTest {
 		);
 	}
 
+	public function testAttributeEscaping() {
+		$value = new SS_HTML4Value();
+
+		$value->setContent('<a href="[]"></a>');
+		$this->assertEquals('<a href="[]"></a>', $value->getContent(), "'[' character isn't escaped");
+
+		$value->setContent('<a href="&quot;"></a>');
+		$this->assertEquals('<a href="&quot;"></a>', $value->getContent(), "'\"' character is escaped");
+	}
 }