From 31d8e36d1f95a3d13bb3d2a3b88a9826759687a0 Mon Sep 17 00:00:00 2001
From: Roman Simionov <roman-simionov@users.noreply.github.com>
Date: Fri, 3 Nov 2017 15:03:29 +0300
Subject: [PATCH] Avoid executing script when attribute is set without quotes
 (T571307) (#1830)

---
 js/viz/core/renderers/renderer.js                 | 15 ++++++++-------
 .../DevExpress.viz.renderers/SvgElement.tests.js  |  6 +++++-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/js/viz/core/renderers/renderer.js b/js/viz/core/renderers/renderer.js
index 340018286999..96063a77ab37 100644
--- a/js/viz/core/renderers/renderer.js
+++ b/js/viz/core/renderers/renderer.js
@@ -705,14 +705,15 @@ function adjustLineHeights(items) {
 }
 
 function removeExtraAttrs(html) {
-    var findTagAttrs = /(?:<[a-z0-9])+(?:[\s\S]*?>)/gi,
-        findStyleAttrWithValue = /(\S*\s*)=\s*(["'])(?:(?!\2).)*\2\s?/gi;
+    var findTagAttrs = /(?:(<[a-z0-9]+\s*))([\s\S]*?)(>|\/>)/gi,
+        findStyleAndClassAttrs = /(style|class)\s*=\s*(["'])(?:(?!\2).)*\2\s?/gi;
 
-    return html.replace(findTagAttrs, function(allTagAttrs) {
-        return allTagAttrs.replace(findStyleAttrWithValue, function(currentAttr, attrName) {
-            var lowerCaseAttrName = attrName.toLowerCase();
-            return lowerCaseAttrName === "style" || lowerCaseAttrName === "class" ? currentAttr : "";
-        });
+    return html.replace(findTagAttrs, function(allTagAttrs, p1, p2, p3) {
+        p2 = (p2 && p2.match(findStyleAndClassAttrs) || []).map(function(str) {
+            return str;
+        }).join(" ");
+
+        return p1 + p2 + p3;
     });
 }
 
diff --git a/testing/tests/DevExpress.viz.renderers/SvgElement.tests.js b/testing/tests/DevExpress.viz.renderers/SvgElement.tests.js
index 5448bf9aae12..b0695bedc4a3 100644
--- a/testing/tests/DevExpress.viz.renderers/SvgElement.tests.js
+++ b/testing/tests/DevExpress.viz.renderers/SvgElement.tests.js
@@ -5588,9 +5588,12 @@ function checkDashStyle(assert, elem, result, style, value) {
             }),
             mixedQuotesWithStyle4 = this.createText().attr({
                 text: "<b src='e' style='font-size:11px;fill:#767676;font-family:\"Segoe UI\", \"Helvetica Neue\";font-weight:400;cursor:default;' >aa</b>", x: 20, y: 30
+            }),
+            withoutQuotes = this.createText().attr({
+                text: "<video src=1 style='font-size:11px;' onerror=alert(1)> </video>", x: 20, y: 30
             });
 
-        assert.strictEqual(withoutClosingTags.DEBUG_parsedHtml, "text >with <angle brackets > without closing");
+        assert.strictEqual(withoutClosingTags.DEBUG_parsedHtml, "text >with <angle > without closing");
         assert.strictEqual(withClosing.DEBUG_parsedHtml, "text <with>angle brackets </with >closing");
         assert.strictEqual(withSimpleMarkup.DEBUG_parsedHtml, "text with markup1<a class=\"className\"></a>");
         assert.strictEqual(withSimpleStyleTag.DEBUG_parsedHtml, '<b style="font-size:11px;" >aa</b>');
@@ -5600,5 +5603,6 @@ function checkDashStyle(assert, elem, result, style, value) {
         assert.strictEqual(mixedQuotesWithStyle2.DEBUG_parsedHtml, '<b style=\'font-size:11px;fill:#767676;font-family:"Segoe UI", "Helvetica Neue"font-weight:400;cursor:default;\' >aa</b>');
         assert.strictEqual(mixedQuotesWithStyle3.DEBUG_parsedHtml, "<b style='font-size:11px;fill:#767676;font-family:\"Segoe UI\"; cursor:default;' > </b>");
         assert.strictEqual(mixedQuotesWithStyle4.DEBUG_parsedHtml, "<b style='font-size:11px;fill:#767676;font-family:\"Segoe UI\", \"Helvetica Neue\";font-weight:400;cursor:default;' >aa</b>");
+        assert.strictEqual(withoutQuotes.DEBUG_parsedHtml, "<video style='font-size:11px;' > </video>");
     });
 })();