From 8d26bdbd2e063a9de38f76ba4b4c1013824dfd28 Mon Sep 17 00:00:00 2001
From: Hamish Friedlander <hamish@silverstripe.com>
Date: Thu, 18 Apr 2013 09:13:24 +1200
Subject: [PATCH] FIX We still need XML escaping on href attributes in
 HTML4Value

---
 model/HTMLValue.php                  | 2 +-
 tests/integration/HTML4ValueTest.php | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/model/HTMLValue.php b/model/HTMLValue.php
index 3744325a1..7888806f4 100644
--- a/model/HTMLValue.php
+++ b/model/HTMLValue.php
@@ -52,7 +52,7 @@ abstract class SS_HTMLValue extends ViewableData {
 
 		// Then replace the saved attributes with their original versions
 		$res = preg_replace_callback('/__HTMLVALUE_(\d+)/', function($matches) use ($attrs) {
-			return $attrs[$matches[0]];
+			return Convert::raw2att($attrs[$matches[0]]);
 		}, $res);
 
 		return $res;
diff --git a/tests/integration/HTML4ValueTest.php b/tests/integration/HTML4ValueTest.php
index b29e99d33..011d89797 100644
--- a/tests/integration/HTML4ValueTest.php
+++ b/tests/integration/HTML4ValueTest.php
@@ -58,4 +58,13 @@ class SS_HTML4ValueTest extends SapphireTest {
 		);
 	}
 
+	public function testAttributeEscaping() {
+		$value = new SS_HTML4Value();
+
+		$value->setContent('<a href="[]"></a>');
+		$this->assertEquals('<a href="[]"></a>', $value->getContent(), "'[' character isn't escaped");
+
+		$value->setContent('<a href="&quot;"></a>');
+		$this->assertEquals('<a href="&quot;"></a>', $value->getContent(), "'\"' character is escaped");
+	}
 }