Escape data within stringify_attributes for XSS protection. Fixes #282

system/Common.php

@@ -198,6 +198,7 @@ function esc($data, $context = 'html', $encoding=null)
 				$method = 'escape'.ucfirst($context);
 			}
 
+			// @todo Optimize this to only load a single instance during page request.
 			$escaper = new \Zend\Escaper\Escaper($encoding);
 
 			$data   = $escaper->$method($data);
@@ -640,7 +641,9 @@ function stringify_attributes($attributes, $js = FALSE) : string
 
 		foreach ($attributes as $key => $val)
 		{
-			$atts .= ($js) ? $key.'='.$val.',' : ' '.$key.'="'.$val.'"';
+			$atts .= ($js)
+                ? $key.'='.esc($val, 'js').','
+                : ' '.$key.'="'.esc($val, 'attr').'"';
 		}
 
 		return rtrim($atts, ',');

tests/system/Helpers/URLHelperTest.php

@@ -549,7 +549,7 @@ public function anchorExamplePatterns()
 	{
 		return [
 			'egpage01'	 => ['<a href="http://example.com/index.php/news/local/123" title="News title">My News</a>', 'news/local/123', 'My News', 'title="News title"'],
-			'egpage02'	 => ['<a href="http://example.com/index.php/news/local/123" title="The best news!">My News</a>', 'news/local/123', 'My News', array ('title' => 'The best news!')],
+			'egpage02'	 => ['<a href="http://example.com/index.php/news/local/123" title="The&#x20;best&#x20;news&#x21;">My News</a>', 'news/local/123', 'My News', array ('title' => 'The best news!')],
 			'egpage03'	 => ['<a href="http://example.com/index.php">Click here</a>', '', 'Click here'],
 			'egpage04'	 => ['<a href="http://example.com/index.php">Click here</a>', '/', 'Click here'],
 		];
@@ -626,7 +626,7 @@ public function mailtoPatterns()
 	{
 		return [
 			'page01' => ['<a href="mailto:me@my-site.com">Click Here to Contact Me</a>', 'me@my-site.com', 'Click Here to Contact Me'],
-			'page02' => ['<a href="mailto:me@my-site.com" title="Mail me">Contact Me</a>', 'me@my-site.com', 'Contact Me', array ('title' => 'Mail me')],
+			'page02' => ['<a href="mailto:me@my-site.com" title="Mail&#x20;me">Contact Me</a>', 'me@my-site.com', 'Contact Me', array ('title' => 'Mail me')],
 			'page03' => ['<a href="mailto:me@my-site.com">me@my-site.com</a>', 'me@my-site.com'],
 		];
 	}

user_guide_src/source/helpers/url_helper.rst

@@ -183,10 +183,12 @@ The following functions are available:
 		echo anchor('', 'Click here');
 		// Prints: <a href="http://example.com/index.php">Click here</a>
 
-        As above, you may specify an alternate configuration.
-        You may find the alternate configuration useful if generating links for a
-        different site than yours, which contains different configuration preferences.
-        We use this for unit testing the framework itself.
+	As above, you may specify an alternate configuration.
+	You may find the alternate configuration useful if generating links for a
+	different site than yours, which contains different configuration preferences.
+	We use this for unit testing the framework itself.
+
+	.. note:: Attributes passed into the anchor function are automatically escaped to protected against XSS attacks.
 
 .. php:function:: anchor_popup([$uri = ''[, $title = ''[, $attributes = FALSE[, $altConfig = NULL]]]])
 
@@ -237,6 +239,8 @@ The following functions are available:
         different site than yours, which contains different configuration preferences.
         We use this for unit testing the framework itself.
 
+	.. note:: Attributes passed into the anchor_popup function are automatically escaped to protected against XSS attacks.
+
 .. php:function:: mailto($email[, $title = ''[, $attributes = '']])
 
 	:param	string	$email: E-mail address
@@ -255,6 +259,8 @@ The following functions are available:
 		$attributes = array('title' => 'Mail me');
 		echo mailto('me@my-site.com', 'Contact Me', $attributes);
 
+	.. note:: Attributes passed into the mailto function are automatically escaped to protected against XSS attacks.
+
 .. php:function:: safe_mailto($email[, $title = ''[, $attributes = '']])
 
 	:param	string	$email: E-mail address