mina86
commented
8 years ago FYI, I’ve included fix for this in my pull request: https://github.com/mankyd/htmlmin/pull/36
Closed avacariu closed 7 years ago
mina86
commented
8 years ago FYI, I’ve included fix for this in my pull request: https://github.com/mankyd/htmlmin/pull/36
samupl
commented
8 years ago I started creating my own fix for this without first noticing that somebody already created one, d'oh. This issue has some xss potential, I just managed to malform the webpage of one of our sites, where data-* attributes were generated from user input - htmlmin unescaped the < and > entities and without quotes this led to script injection.
In any case, my PR is here, feel free to close it: #40
It's invalid HTML otherwise.
Reference: http://www.w3.org/TR/html-markup/syntax.html#attr-value-unquoted
Fixes #33 and #32