id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
11508	DataProcessor processing nested (encoded) attributes	Olek Nowodziński	Olek Nowodziński	"1. Open replacebycode sample.
2. Enable `allowedContent: true`
 {{{
CKEDITOR.replace( 'editor1', {
	allowedContent: true
} );
}}}
3. Call
 {{{
CKEDITOR.instances.editor1.dataProcessor.toHtml( '<p><img data-foo=""&lt;a href=&quot;XXX&quot;&gt;YYY&lt;/a&gt;"" /></p>' )
}}}
 `data-foo` attribute contains encoded HTML:
 {{{
<a href=""XXX"">YYY</a>
}}}

'''Expected:''' 
{{{
<p><img data-foo=""&lt;a href=&quot;XXX&quot;&gt;YYY&lt;/a&gt;"" /></p>
}}}
'''Actual:'''
{{{
<p><img data-foo=""&lt;a data-cke-saved-href=&quot;XXX&quot;&gt;YYY&lt;/a&gt; href=&quot;XXX&quot;&gt;YYY&lt;/a&gt;"" /></p>
}}}
'''What happened?'''
Dataprocessor considered `href=&quot;XXX&quot;` as an attribute of `<img>` and tried to protect it, making a lot of mess. The RegExp responsible for that is not perfect
{{{
protectAttributeRegex = /\s(on\w+|href|src|name)\s*=\s*(?:(?:""[^""]*"")|(?:'[^']*')|(?:[^ ""'>]+))/gi;
}}}
`|(?:[^ ""'>]+)` matches `href=&quot;XXX&quot;` as an unquoted attribute of `<img>` ([http://www.whatwg.org/specs/web-apps/current-work/multipage/introduction.html#intro-early-example this kind of attributes is allowed in HTML])

----

'''Another TC''': 

Paste
{{{
<p><img data-foo=""&lt;a href=&quot;XXX&quot;&gt;YYY&lt;/a&gt;"" /></p>
}}}
into source view and switch modes twice."	Bug	closed	Normal	CKEditor 4.3.3	Core : Parser	4.0	fixed		wim.leers@…