diff --git a/NEWS b/NEWS
index 4e838c63..23b41c33 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Support for Internet Explorer compatibility with %HTML.SafeObject
using %Output.FlashCompat.
! Handle
properly, by inserting the necessary - tag.
+- Always quote the insides of url(...) in CSS.
4.0.0, released 2009-07-07
# APIs for ConfigSchema subsystem have substantially changed. See
diff --git a/library/HTMLPurifier/AttrDef/CSS/URI.php b/library/HTMLPurifier/AttrDef/CSS/URI.php
index 435d7930..54b7d63f 100644
--- a/library/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/library/HTMLPurifier/AttrDef/CSS/URI.php
@@ -47,7 +47,7 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
// URI at all
$result = str_replace($keys, $values, $result);
- return "url($result)";
+ return "url('$result')";
}
diff --git a/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php b/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php
index bf2f24e0..b36d09a6 100644
--- a/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php
@@ -8,12 +8,12 @@ class HTMLPurifier_AttrDef_CSS_BackgroundTest extends HTMLPurifier_AttrDefHarnes
$config = HTMLPurifier_Config::createDefault();
$this->def = new HTMLPurifier_AttrDef_CSS_Background($config);
- $valid = '#333 url(chess.png) repeat fixed 50% top';
+ $valid = '#333 url(\'chess.png\') repeat fixed 50% top';
$this->assertDef($valid);
$this->assertDef('url("chess.png") #333 50% top repeat fixed', $valid);
$this->assertDef(
'rgb(34, 56, 33) url(chess.png) repeat fixed top',
- 'rgb(34,56,33) url(chess.png) repeat fixed top'
+ 'rgb(34,56,33) url(\'chess.png\') repeat fixed top'
);
}
diff --git a/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php b/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php
index fa04fb60..8fd43e59 100644
--- a/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php
@@ -13,14 +13,14 @@ class HTMLPurifier_AttrDef_CSS_ListStyleTest extends HTMLPurifier_AttrDefHarness
$this->assertDef('circle outside');
$this->assertDef('inside');
$this->assertDef('none');
- $this->assertDef('url(foo.gif)');
- $this->assertDef('circle url(foo.gif) inside');
+ $this->assertDef('url(\'foo.gif\')');
+ $this->assertDef('circle url(\'foo.gif\') inside');
// invalid values
$this->assertDef('outside inside', 'outside');
// ordering
- $this->assertDef('url(foo.gif) none', 'none url(foo.gif)');
+ $this->assertDef('url(foo.gif) none', 'none url(\'foo.gif\')');
$this->assertDef('circle lower-alpha', 'circle');
// the spec is ambiguous about what happens in these
// cases, so we're going off the W3C CSS validator
diff --git a/tests/HTMLPurifier/AttrDef/CSS/URITest.php b/tests/HTMLPurifier/AttrDef/CSS/URITest.php
index 099b1639..20cc79d2 100644
--- a/tests/HTMLPurifier/AttrDef/CSS/URITest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/URITest.php
@@ -15,8 +15,8 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
// no quotes are used, since that's the most widely supported
// syntax
$this->assertDef('url(', false);
- $this->assertDef('url()', true);
- $result = "url(http://www.example.com/)";
+ $this->assertDef('url(\'\')', true);
+ $result = "url('http://www.example.com/')";
$this->assertDef('url(http://www.example.com/)', $result);
$this->assertDef('url("http://www.example.com/")', $result);
$this->assertDef("url('http://www.example.com/')", $result);
@@ -25,7 +25,7 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
// escaping
$this->assertDef("url(http://www.example.com/foo,bar\))",
- "url(http://www.example.com/foo\,bar\))");
+ "url('http://www.example.com/foo\,bar\)')");
}
}
diff --git a/tests/HTMLPurifier/AttrDef/CSSTest.php b/tests/HTMLPurifier/AttrDef/CSSTest.php
index 1c15a5c1..8ef818db 100644
--- a/tests/HTMLPurifier/AttrDef/CSSTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSSTest.php
@@ -25,7 +25,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
$this->assertDef('text-transform:capitalize;');
$this->assertDef('background-color:rgb(0,0,255);');
$this->assertDef('background-color:transparent;');
- $this->assertDef('background:#333 url(chess.png) repeat fixed 50% top;');
+ $this->assertDef('background:#333 url(\'chess.png\') repeat fixed 50% top;');
$this->assertDef('color:#F00;');
$this->assertDef('border-top-color:#F00;');
$this->assertDef('border-color:#F00 #FF0;');
@@ -73,9 +73,9 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
$this->assertDef('vertical-align:12px;');
$this->assertDef('vertical-align:50%;');
$this->assertDef('table-layout:fixed;');
- $this->assertDef('list-style-image:url(nice.jpg);');
- $this->assertDef('list-style:disc url(nice.jpg) inside;');
- $this->assertDef('background-image:url(foo.jpg);');
+ $this->assertDef('list-style-image:url(\'nice.jpg\');');
+ $this->assertDef('list-style:disc url(\'nice.jpg\') inside;');
+ $this->assertDef('background-image:url(\'foo.jpg\');');
$this->assertDef('background-image:none;');
$this->assertDef('background-repeat:repeat-y;');
$this->assertDef('background-attachment:fixed;');
@@ -101,7 +101,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
// bad props
$this->assertDef('nodice:foobar;', false);
$this->assertDef('position:absolute;', false);
- $this->assertDef('background-image:url(javascript:alert\(\));', false);
+ $this->assertDef('background-image:url(\'javascript:alert\(\)\');', false);
// airy input
$this->assertDef(' font-weight : bold; color : #ff0000',
diff --git a/tests/HTMLPurifier/HTMLT/munge-extra.htmlt b/tests/HTMLPurifier/HTMLT/munge-extra.htmlt
index a469cdd4..c10109ed 100644
--- a/tests/HTMLPurifier/HTMLT/munge-extra.htmlt
+++ b/tests/HTMLPurifier/HTMLT/munge-extra.htmlt
@@ -7,5 +7,5 @@ URI.MungeResources = true
--EXPECT--
Link
-
+
--# vim: et sw=4 sts=4
diff --git a/tests/HTMLPurifier/HTMLT/tidy-background.htmlt b/tests/HTMLPurifier/HTMLT/tidy-background.htmlt
index 9b112708..e9438b84 100644
--- a/tests/HTMLPurifier/HTMLT/tidy-background.htmlt
+++ b/tests/HTMLPurifier/HTMLT/tidy-background.htmlt
@@ -1,5 +1,5 @@
--HTML--
--EXPECT--
-
+
--# vim: et sw=4 sts=4