New Serializer does not properly escape/sanitize attribute values

[distler]

irb(main):001:0> require 'maruku'
=> true
irb(main):002:0> s = <<END
irb(main):003:0" *foo*{: style='ball & chain'}
irb(main):004:0"
irb(main):005:0" *foo*{: style='ball\008 chain'}
irb(main):006:0"
irb(main):007:0" *foo*{: style='ball\" badAttribute=\"chain'}
irb(main):008:0" END
=> "*foo*{: style='ball & chain'}\n\n*foo*{: style='ball\u00008 chain'}\n\n*foo*{: style='ball\" badAttribute=\"chain'}\n"
irb(main):009:0> Maruku.new(s).to_html
=> "<p><em style=\"ball & chain\">foo</em></p>\n\n<p><em style=\"ball\u00008 chain\">foo</em></p>\n\n<p><em style=\"ball\" badAttribute=\"chain\">foo</em></p>"

Nokogiri would ensure sane attribute values. So the output from the previous serializer would have been

<p><em style="ball &amp; chain">foo</em></p>

<p><em style="ball">foo</em></p>

<p><em style="ball&quot; badAttribute=&quot;chain">foo</em></p>

In addition to well-formedness issues, the third example has obvious security implications, depending on how the client program's sanitization works.

[bhollis]

Thanks, I'll get some tests in for that.

[bhollis]

Thanks. This is now fixed. Let me know if you find anything else that needs work, I'm building up a 0.7.1 release soon.