Escape '&' in javascript URLs for innerHTML/outerHTML

Source/core/editing/MarkupAccumulator.cpp

Index: Source/core/editing/MarkupAccumulator.cpp
diff --git a/Source/core/editing/MarkupAccumulator.cpp b/Source/core/editing/MarkupAccumulator.cpp
index b8f4a541273159d32662091a1de41bc471f886d8..1dab620b038702f8705cb08282bc5047fa711f3e 100644
--- a/Source/core/editing/MarkupAccumulator.cpp
+++ b/Source/core/editing/MarkupAccumulator.cpp
@@ -210,7 +210,7 @@ void MarkupAccumulator::appendCustomAttributes(StringBuilder&, const Element&, N
 {
 }
 
-void MarkupAccumulator::appendQuotedURLAttributeValue(StringBuilder& result, const Element& element, const Attribute& attribute)
+void MarkupAccumulator::appendHTMLEscapedURLAttributeValue(StringBuilder& result, const Element& element, const Attribute& attribute)
 {
     ASSERT(element.isURLAttribute(attribute));
     const String resolvedURLString = resolveURLIfNeeded(element, attribute.value());
@@ -218,6 +218,9 @@ void MarkupAccumulator::appendQuotedURLAttributeValue(StringBuilder& result, con
     String strippedURLString = resolvedURLString.stripWhiteSpace();
     if (protocolIsJavaScript(strippedURLString)) {
         // minimal escaping for javascript urls
+        if (strippedURLString.contains('&'))
+            strippedURLString.replaceWithLiteral('&', "&");
+
         if (strippedURLString.contains('"')) {
             if (strippedURLString.contains('\''))
                 strippedURLString.replaceWithLiteral('"', """);
@@ -474,7 +477,7 @@ void MarkupAccumulator::appendAttribute(StringBuilder& result, const Element& el
     result.append('=');
 
     if (element.isURLAttribute(attribute)) {
-        appendQuotedURLAttributeValue(result, element, attribute);
+        appendHTMLEscapedURLAttributeValue(result, element, attribute);
     } else {
         result.append('"');
         appendAttributeValue(result, attribute.value(), documentIsHTML);