double quotes, single quote in tag attribute can lead to XSS

[phackt]

Hello, hope you're well, i would like to discuss about one case that is not triggered by DSXS. Example of php code:

<?php
    echo "<input type=\"text\" name=\"test\" name=\"".str_replace('"','\\"',$_GET['param'])."\"></input>";
?>

The backslash is not interpreted as an escape character in this html context and leads to XSS. Do you agree that this kind of pattern deals with the following regexp in your code:

    (r"<[^>]*=\s*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),
    (r'<[^>]*=\s*"[^>"]*%(chars)s[^>"]*"[^>]*>', ('"',), "'<.\".xss.\".>', inside the tag, inside double-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),

If you confirm i can pull request to avoid the mandatory chars to go through the re.sub function for these cases (N.B: _contains function).

Cheers mate.

[stamparm]

Should be fixed with the latest commit. Not very happy about the patch, but I am not sure that anybody could come with cleaner one

[phackt]

Elegant patch! Thanks