From dde08ec7560989c6f1a06970dfb82f45a684785f Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 28 Jun 2009 22:49:52 +1200
Subject: [PATCH] Author: Don Hopkins <dhopkins@DonHopkins.com> Bug 1087: ESI
 processor not quoting attributes correctly.

Use HTML 4.01 specified double-quotes instead of HTML 1.0 single quotes
and HTML-encode any double-quotes contained within the attribute data.
---
 src/esi/Esi.cc | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/esi/Esi.cc b/src/esi/Esi.cc
index af01c61197..ebf2df411e 100644
--- a/src/esi/Esi.cc
+++ b/src/esi/Esi.cc
@@ -1028,10 +1028,19 @@ ESIContext::start(const char *el, const char **attr, size_t attrCount)
             assert (xstrncpy (pos, attr[i], sizeof(localbuf) + (pos - localbuf)));
             pos += strlen (pos);
             *pos++ = '=';
-            *pos++ = '\'';
-            assert (xstrncpy (pos, attr[i + 1], sizeof(localbuf) + (pos - localbuf)));
+            *pos++ = '\"';
+            const char *chPtr = attr[i + 1];
+            char ch;
+            while ((ch = *chPtr++) != '\0') {
+                if (ch == '\"') {
+                    assert( xstrncpy(pos, "&quot;", sizeof(localbuf) + (pos-localbuf)) );
+                    pos += 6;
+                } else {
+                    *(pos++) = ch;
+                }
+            }
             pos += strlen (pos);
-            *pos++ = '\'';
+            *pos++ = '\"';
         }
 
         *pos++ = '>';
-- 
2.47.2