Index: _source/core/htmlparser/basicwriter.js
===================================================================
--- _source/core/htmlparser/basicwriter.js (revision 5242)
+++ _source/core/htmlparser/basicwriter.js (working copy)
@@ -60,9 +60,10 @@
*/
attribute : function( attName, attValue )
{
- // Browsers don't always escape quote in attribute values. (#4683)
- if ( typeof attValue == 'string' )
- attValue = attValue.replace( /"/g, '"' );
+ // Browsers don't always escape special character in attribute values. (#4683, #4719).
+ if ( typeof attValue == 'string' ) {
+ attValue = CKEDITOR.tools.htmlEncodeAttr( attValue );
+ }
this._.output.push( ' ', attName, '="', attValue, '"' );
},
Index: _source/core/tools.js
===================================================================
--- _source/core/tools.js (revision 5242)
+++ _source/core/tools.js (working copy)
@@ -321,6 +321,20 @@
return this.htmlEncode( text );
},
+
+ /**
+ * Replace special HTML characters in a string with their relative HTML
+ * entity values.
+ * @param {String} text The string to be encoded.
+ * @returns {String} The encode string.
+ * @example
+ * alert( CKEDITOR.tools.htmlEncode( 'A > " < D' ) ); // "A > "e; < D"
+ */
+
+ htmlEncodeAttr : function( text )
+ {
+ return text.replace( /"/g, '"' ).replace( //, '>' );
+ },
/**
* Replace characters can't be represented through CSS Selectors string
Index: _source/plugins/htmlwriter/plugin.js
===================================================================
--- _source/plugins/htmlwriter/plugin.js (revision 5242)
+++ _source/plugins/htmlwriter/plugin.js (working copy)
@@ -175,8 +175,8 @@
if ( typeof attValue == 'string' )
{
this.forceSimpleAmpersand && ( attValue = attValue.replace( /&/g, '&' ) );
- // Browsers don't always escape quote in attribute values. (#4683)
- attValue = attValue.replace( /"/g, '"' );
+ // Browsers don't always escape special character in attribute values. (#4683, #4719).
+ attValue = CKEDITOR.tools.htmlEncodeAttr( attValue );
}
this._.output.push( ' ', attName, '="', attValue, '"' );