From 1cc4ad533dddb42ed4378193924c88ec8e24229c Mon Sep 17 00:00:00 2001
From: Matthias Andreas Benkard <code@mail.matthias.benkard.de>
Date: Sun, 1 Mar 2009 17:36:27 +0100
Subject: Defensively escape href and src attributes.

---
 cljssss-g.clj | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/cljssss-g.clj b/cljssss-g.clj
index d232b53..a0c48c4 100644
--- a/cljssss-g.clj
+++ b/cljssss-g.clj
@@ -190,6 +190,12 @@ to merely being replaced with a div element)?"
 (defn escape-string [string]
   (str-utils/re-gsub #"\"" "\\\\\"" string))
 
+(defn escape-uri [string]
+  ;; Easy?  Nope.
+  ;;(java.net.URLEncoder/encode string "UTF-8")
+  (str-utils/re-gsub #"=" "%3D"
+                     (str-utils/re-gsub #"&" "%26" string)))
+
 (defn print-xml [node]
   (if (string? node)
       (print (escape-xml node))
@@ -199,7 +205,9 @@ to merely being replaced with a div element)?"
           (when-not (= attr-name :shape)
             (printf " %s=\"%s\""
                     (name attr-name)
-                    (escape-string attr))))
+                    (if (#{:href :src} attr-name)
+                        (escape-string (escape-uri attr))
+                        (escape-string attr)))))
         (print ">")
         (doall (map print-xml content))
         (printf "</%s>" (name tag)))))
-- 
cgit v1.2.3