robb
commented
3 years ago LGTM, Thanks!
I was concerned that this might trip up JavaScript but I couldn't come up with a case where it did, e.g. this works as expected:
<html>
<body>
<button onclick="javascript:alert("Hallo" === "Hal" + "lo")"></button>
</body>
</html>
If there is a quote in an attribute value, we should escape it. I am 99% sure this is all that needs to happen. Even < and > are fine to use inside attribute values.