Escape attributes before printing

[oliverpool]

As noticed in a-h/templ#284

 // < & co. gets wrongly removed
htmlformat.Fragment(&buf, strings.NewReader(`<button class="&lt;script&gt; &#34; href=&#34;#hacked">Escaped classes</button>`))

a.Val must be escaped using html.EscapeString in at least two places:

htmlformat/format.go

Line 63 in c3d4a33

if _, err = fmt.Fprintf(w, ` %s="%s"`, a.Key, val); err != nil {

htmlformat/format.go

Line 133 in c3d4a33

if _, err = fmt.Fprintf(w, ` %s="%s"`, a.Key, a.Val); err != nil {

[a-h]

Ah, you're right. Thanks!

Unfortunately, I don't think it's as simple as just re-escaping the a.Val, because if the attribute value is already invalid, e.g. class="&", running it through html.EscapeString will "fix" it so that the output is class="&".
This was discussed golang/go#52911 but I don't think the use case for having access to the raw value was really explained.

One use case is to unminify HTML created by a templating engine, so that we can compare it to expected output, and have an easy to visualise result.

Part of that use case is to find issues like invalid escaping, so fixing the invalid input isn't what we want.

One option is to fork the HTML parser and make the change to add the raw attribute value to the Node type, and then use it. There's only about 1 commit a month to the parser, so it probably wouldn't be too much of a maintenance burden. https://github.com/golang/net/commits/master/html

[oliverpool]

having access to the raw value was really explained

Actually getting the "value as interpreted by the browser" should be enough (which is what a.Val gives I think). Even if the string representation differ, if the browser interpretation is the same, then the code should be safe.

Alternatively, you could reconstruct an html.Token from an html.Node (with a StartTagToken type) and call the t.String() method on it (but it will still escape previously unescaped values).

[a-h]

Thanks, agreed. I've fixed this in 5bd994f