Index: Source/core/editing/MarkupAccumulator.cpp |
diff --git a/Source/core/editing/MarkupAccumulator.cpp b/Source/core/editing/MarkupAccumulator.cpp |
index b8f4a541273159d32662091a1de41bc471f886d8..1dab620b038702f8705cb08282bc5047fa711f3e 100644 |
--- a/Source/core/editing/MarkupAccumulator.cpp |
+++ b/Source/core/editing/MarkupAccumulator.cpp |
@@ -210,7 +210,7 @@ void MarkupAccumulator::appendCustomAttributes(StringBuilder&, const Element&, N |
{ |
} |
-void MarkupAccumulator::appendQuotedURLAttributeValue(StringBuilder& result, const Element& element, const Attribute& attribute) |
+void MarkupAccumulator::appendHTMLEscapedURLAttributeValue(StringBuilder& result, const Element& element, const Attribute& attribute) |
{ |
ASSERT(element.isURLAttribute(attribute)); |
const String resolvedURLString = resolveURLIfNeeded(element, attribute.value()); |
@@ -218,6 +218,9 @@ void MarkupAccumulator::appendQuotedURLAttributeValue(StringBuilder& result, con |
String strippedURLString = resolvedURLString.stripWhiteSpace(); |
if (protocolIsJavaScript(strippedURLString)) { |
// minimal escaping for javascript urls |
+ if (strippedURLString.contains('&')) |
+ strippedURLString.replaceWithLiteral('&', "&"); |
+ |
if (strippedURLString.contains('"')) { |
if (strippedURLString.contains('\'')) |
strippedURLString.replaceWithLiteral('"', """); |
@@ -474,7 +477,7 @@ void MarkupAccumulator::appendAttribute(StringBuilder& result, const Element& el |
result.append('='); |
if (element.isURLAttribute(attribute)) { |
- appendQuotedURLAttributeValue(result, element, attribute); |
+ appendHTMLEscapedURLAttributeValue(result, element, attribute); |
} else { |
result.append('"'); |
appendAttributeValue(result, attribute.value(), documentIsHTML); |