RubyGems - loofah - Versions diffs - 0.3.1 → 0.4.0 - Mend

loofah 0.3.1 → 0.4.0

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (25) hide show

data.tar.gz.sig +0 -0
data/CHANGELOG.rdoc +9 -0
data/Manifest.txt +3 -1
data/README.rdoc +223 -92
data/Rakefile +11 -3
data/TODO.rdoc +0 -5
data/lib/loofah.rb +27 -138
data/lib/loofah/active_record.rb +10 -18
data/lib/loofah/html/document.rb +4 -4
data/lib/loofah/html/document_fragment.rb +5 -5
data/lib/loofah/html5/scrub.rb +1 -1
data/lib/loofah/html5/whitelist.rb +1 -1
data/lib/loofah/instance_methods.rb +47 -0
data/lib/loofah/scrubber.rb +98 -76
data/lib/loofah/scrubbers.rb +199 -0
data/lib/loofah/xss_foliate.rb +71 -69
data/test/html5/test_sanitizer.rb +12 -9
data/test/test_active_record.rb +22 -0
data/test/test_ad_hoc.rb +42 -0
data/test/test_api.rb +47 -1
data/test/test_scrubber.rb +204 -102
data/test/test_scrubbers.rb +144 -0
metadata +44 -12
metadata.gz.sig +0 -0
data/test/html5/testdata/tests1.dat +0 -501

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -31,7 +31,7 @@ cert_chain:
   FlqnTjy13J3nD30uxy9a1g==
   -----END CERTIFICATE-----
-date: 2009-10-12 00:00:00 -04:00
+date: 2009-11-21 00:00:00 -05:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -44,6 +44,36 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.3.3
     version:
+- !ruby/object:Gem::Dependency
+  name: mocha
+  type: :development
+  version_requirement:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: "0.9"
+    version:
+- !ruby/object:Gem::Dependency
+  name: thoughtbot-shoulda
+  type: :development
+  version_requirement:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: "2.10"
+    version:
+- !ruby/object:Gem::Dependency
+  name: acts_as_fu
+  type: :development
+  version_requirement:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.5
+    version:
 - !ruby/object:Gem::Dependency
   name: hoe
   type: :development
@@ -55,15 +85,14 @@ dependencies:
         version: 2.3.3
     version:
 description: |-
-  Loofah is an HTML sanitizer. It will always fix broken markup, but
-  can also sanitize unsafe tags in a few different ways, and transform
-  the markup for storage or display.
-  It's built on top of Nokogiri and libxml2, so it's fast. And it uses
-  html5lib's whitelist, so it most likely won't make your codes less
-  secure. \*
+  Loofah is a general library for manipulating HTML/XML documents and
+  fragments. It's built on top of Nokogiri and libxml2, so it's fast and
+  has a nice API.
-  \* These statements have not been evaluated by Netexperts.
+  Loofah excels at HTML sanitization (XSS prevention). It includes some
+  nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
+  most likely won't make your codes less secure. (These statements have
+  not been evaluated by Netexperts.)
 email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
@@ -98,16 +127,18 @@ files:
 - lib/loofah/html/document_fragment.rb
 - lib/loofah/html5/scrub.rb
 - lib/loofah/html5/whitelist.rb
+- lib/loofah/instance_methods.rb
 - lib/loofah/scrubber.rb
+- lib/loofah/scrubbers.rb
 - lib/loofah/xss_foliate.rb
 - test/helper.rb
 - test/html5/test_sanitizer.rb
-- test/html5/testdata/tests1.dat
 - test/test_active_record.rb
 - test/test_ad_hoc.rb
 - test/test_api.rb
 - test/test_helpers.rb
 - test/test_scrubber.rb
+- test/test_scrubbers.rb
 - test/test_xss_foliate.rb
 has_rdoc: true
 homepage: http://loofah.rubyforge.org
@@ -137,11 +168,12 @@ rubyforge_project: loofah
 rubygems_version: 1.3.5
 signing_key:
 specification_version: 3
-summary: Loofah is an HTML sanitizer
+summary: Loofah is a general library for manipulating HTML/XML documents and fragments
 test_files:
 - test/test_xss_foliate.rb
 - test/test_helpers.rb
 - test/test_scrubber.rb
+- test/test_scrubbers.rb
 - test/test_api.rb
 - test/test_ad_hoc.rb
 - test/html5/test_sanitizer.rb

metadata.gz.sig CHANGED

Binary file

data/test/html5/testdata/tests1.dat DELETED

@@ -1,501 +0,0 @@
-[
-  {
-    "name": "IE_Comments",
-    "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
-    "output": ""
-  },
-  {
-    "name": "IE_Comments_2",
-    "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
-    "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "allow_colons_in_path_component",
-    "input": "<a href=\"./this:that\">foo</a>",
-    "output": "<a href='./this:that'>foo</a>"
-  },
-  {
-    "name": "background_attribute",
-    "input": "<div background=\"javascript:alert('XSS')\"></div>",
-    "output": "<div/>",
-    "xhtml": "<div></div>",
-    "rexml": "<div></div>"
-  },
-  {
-    "name": "bgsound",
-    "input": "<bgsound src=\"javascript:alert('XSS');\" />",
-    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
-    "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
-  },
-  {
-    "name": "div_background_image_unicode_encoded",
-    "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
-    "output": "<div style=''>foo</div>"
-  },
-  {
-    "name": "div_expression",
-    "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
-    "output": "<div style=''>foo</div>"
-  },
-  {
-    "name": "double_open_angle_brackets",
-    "input": "<img src=http://ha.ckers.org/scriptlet.html <",
-    "output": "<img src='http://ha.ckers.org/scriptlet.html'/>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "double_open_angle_brackets_2",
-    "input": "<script src=http://ha.ckers.org/scriptlet.html <",
-    "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "grave_accents",
-    "input": "<img src=`javascript:alert('XSS')` />",
-    "output": "<img/>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "img_dynsrc_lowsrc",
-    "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "img_vbscript",
-    "input": "<img src='vbscript:msgbox(\"XSS\")' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "input_image",
-    "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
-    "output": "<input type='image'/>",
-    "rexml": "<input type='image' />"
-  },
-  {
-    "name": "link_stylesheets",
-    "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/&gt;",
-    "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
-  },
-  {
-    "name": "link_stylesheets_2",
-    "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/&gt;",
-    "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
-  },
-  {
-    "name": "list_style_image",
-    "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
-    "output": "<li style=''>foo</li>"
-  },
-  {
-    "name": "no_closing_script_tags",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "non_alpha_non_digit",
-    "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "non_alpha_non_digit_2",
-    "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "non_alpha_non_digit_3",
-    "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
-    "output": "<img src='http://ha.ckers.org/xss.js'/>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "non_alpha_non_digit_II",
-    "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "non_alpha_non_digit_III",
-    "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "platypus",
-    "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>"
-  },
-  {
-    "name": "protocol_resolution_in_script_tag",
-    "input": "<script src=//ha.ckers.org/.j></script>",
-    "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_allow_anchors",
-    "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
-    "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
-  },
-  {
-    "name": "should_allow_image_alt_attribute",
-    "input": "<img alt='foo' onclick='bar' />",
-    "output": "<img alt='foo'/>",
-    "rexml": "<img alt='foo' />"
-  },
-  {
-    "name": "should_allow_image_height_attribute",
-    "input": "<img height='foo' onclick='bar' />",
-    "output": "<img height='foo'/>",
-    "rexml": "<img height='foo' />"
-  },
-  {
-    "name": "should_allow_image_src_attribute",
-    "input": "<img src='foo' onclick='bar' />",
-    "output": "<img src='foo'/>",
-    "rexml": "<img src='foo' />"
-  },
-  {
-    "name": "should_allow_image_width_attribute",
-    "input": "<img width='foo' onclick='bar' />",
-    "output": "<img width='foo'/>",
-    "rexml": "<img width='foo' />"
-  },
-  {
-    "name": "should_handle_blank_text",
-    "input": "",
-    "output": ""
-  },
-  {
-    "name": "should_handle_malformed_image_tags",
-    "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
-    "output": "<img/>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_handle_non_html",
-    "input": "abc",
-    "output": "abc"
-  },
-  {
-    "name": "should_not_fall_for_ridiculous_hack",
-    "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_0",
-    "input": "<img src=\"javascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_1",
-    "input": "<img src=javascript:alert('XSS') />",
-    "output": "<img/>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_10",
-    "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_11",
-    "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_12",
-    "input": "<img src=\" &#14;  javascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_13",
-    "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_14",
-    "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_2",
-    "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_3",
-    "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_4",
-    "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_5",
-    "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_6",
-    "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_7",
-    "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_8",
-    "input": "<img src=\"jav\tascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_not_fall_for_xss_image_hack_9",
-    "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
-    "output": "<img/>",
-    "rexml": "<img />"
-  },
-  {
-    "name": "should_sanitize_half_open_scripts",
-    "input": "<img src=\"javascript:alert('XSS')\"",
-    "output": "<img/>",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_sanitize_invalid_script_tag",
-    "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets",
-    "input": "<<script>alert(\"XSS\");//<</script>",
-    "output": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
-    "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
-    "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_sanitize_tag_broken_up_by_null",
-    "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
-    "output": "&lt;scr\ufffdipt&gt;alert(\"XSS\")&lt;/scr\ufffdipt&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_sanitize_unclosed_script",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols",
-    "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
-    "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols",
-    "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'/>boo",
-    "rexml": "<img title='1' />"
-  },
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
-    "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'/>boo",
-    "rexml": "<img title='1' />"
-  },
-  {
-    "name": "xml_base",
-    "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-  {
-    "name": "xul",
-    "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
-    "output": "<p style=''>fubar</p>"
-  },
-  {
-    "name": "quotes_in_attributes",
-    "input": "<img src='foo' title='\"foo\" bar' />",
-    "rexml": "<img src='foo' title='\"foo\" bar' />",
-    "output": "<img title='&quot;foo&quot; bar' src='foo'/>"
-  },
-  {
-    "name": "uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(#foo)' />",
-    "rexml": "<rect fill='url(#foo)'></rect>",
-    "xhtml": "<rect fill='url(#foo)'></rect>",
-    "output": "<rect fill='url(#foo)'/>"
-  },
-  {
-    "name": "absolute_uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(http://bad.com/) #fff' />",
-    "rexml": "<rect fill='  #fff'></rect>",
-    "xhtml": "<rect fill='  #fff'></rect>",
-    "output": "<rect fill='  #fff'/>"
-  },
-  {
-    "name": "uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill='url(\n#foo)' />",
-    "rexml": "<rect fill='url(\n#foo)'></rect>",
-    "xhtml": "<rect fill='url(\n#foo)'></rect>",
-    "output": "<rect fill='url(\n#foo)'/>"
-  },
-  {
-    "name": "absolute_uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "rexml": "<rect fill=' '></rect>",
-    "xhtml": "<rect fill=' '></rect>",
-    "output": "<rect fill=' '/>"
-  },
-  {
-    "name": "allow_html5_image_tag",
-    "input": "<image src='foo' />",
-    "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
-    "output": "&lt;image src=\"foo\"/&gt;"
-  },
-  {
-    "name": "style_attr_end_with_nothing",
-    "input": "<div style=\"color: blue\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-  {
-    "name": "style_attr_end_with_space",
-    "input": "<div style=\"color: blue \" />",
-    "output": "<div style='color: blue ;'/>",
-    "xhtml": "<div style='color: blue ;'></div>",
-    "rexml": "<div style='color: blue ;'></div>"
-  },
-  {
-    "name": "style_attr_end_with_semicolon",
-    "input": "<div style=\"color: blue;\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-  {
-    "name": "style_attr_end_with_semicolon_space",
-    "input": "<div style=\"color: blue; \" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-  {
-   "name": "attributes_with_embedded_quotes",
-   "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
-   "output": "<img src='doesntexist.jpg&quot;&apos;onerror=&quot;alert(1)'/>",
-   "rexml": "Ill-formed XHTML!"
-  },
-  {
-   "name": "attributes_with_embedded_quotes_II",
-   "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
-   "output": "<img src='notthere.jpg&quot;&quot;onerror=&quot;alert(2)'/>",
-   "rexml": "Ill-formed XHTML!"
-  }
-]