feat: single-quoted attribute value syntax support

Author: feiin

README.en.md

@@ -189,6 +189,17 @@ func SafeAttrValue(tag, name, value string) string {
 }
 ```
 
+### Customize output attribute value syntax for HTML
+By specifying a `SingleQuotedAttributeValue`. Use `true` for `'`. Otherwise default `"` will be used
+```golang
+options.SingleQuotedAttributeValue = true
+
+// With the configuration specified above, the following HTML:
+// <a href="#">Hello</a>
+// would become:
+// <a href='#'>Hello</a>
+```
+
 
 
 ### Quick Start

README.md

@@ -185,6 +185,20 @@ func SafeAttrValue(tag, name, value string) string {
 }
 ```
 
+### 自定义属性值引用为单引号
+
+当`SingleQuotedAttributeValue`为false时默认为双引号，为true时则为单引号
+
+```golang
+options.SingleQuotedAttributeValue = true
+
+// 设置属性为true后，以下HTML
+// <a href="#">Hello</a>
+// 输出结果:
+// <a href='#'>Hello</a>
+```
+
+
 ### 自定义 CSS 过滤器
 
 TODO

xss.go

@@ -3,8 +3,10 @@ package xss
 import (
 	// "errors"
 	// "bytes"
-	"github.com/feiin/pkg/arrays"
+	"fmt"
 	"strings"
+
+	"github.com/feiin/pkg/arrays"
 	// "io"
 )
 
@@ -102,6 +104,11 @@ func (x *Xss) Process(html string) string {
 	OnIgnoreTagAttr := x.options.OnIgnoreTagAttr
 	whiteList := x.options.WhiteList
 
+	attributeWrapSign := "\""
+	if x.options.SingleQuotedAttributeValue {
+		attributeWrapSign = "'"
+	}
+
 	//remove invisible characters
 	if x.options.StripBlankChar {
 		html = stripBlankChar(html)
@@ -164,7 +171,7 @@ func (x *Xss) Process(html string) string {
 				if isWhiteAttr {
 					value = safeAttrValue(tag, name, value)
 					if len(value) > 0 {
-						return name + "=\"" + value + "\""
+						return fmt.Sprintf("%s=%s%s%s", name, attributeWrapSign, value, attributeWrapSign) // name + "=\"" + value + "\""
 					} else {
 						return name
 					}

xss_option.go

@@ -14,7 +14,8 @@ type XssOption struct {
 	// remove html comments
 	AllowCommentTag bool
 
-	StripIgnoreTag bool
+	StripIgnoreTag             bool
+	SingleQuotedAttributeValue bool
 
 	// StripIgnoreTagBody
 	StripIgnoreTagBody []string

xss_test.go

@@ -1506,3 +1506,31 @@ func TestOnTagSanitizeHtml(t *testing.T) {
 		t.Errorf("TestStripIngoreBodyTag4 error %s", html)
 	}
 }
+
+func TestSingleQuotedAttributeValue(t *testing.T) {
+	source := "<a title=\"xx\">single-quoted</a>"
+
+	html := FilterXSS(source, XssOption{SingleQuotedAttributeValue: false})
+
+	if html != "<a title=\"xx\">single-quoted</a>" {
+		t.Errorf("TestSingleQuotedAttributeValue expect: %s but:%s", source, html)
+
+	}
+
+	html = FilterXSS(source, XssOption{SingleQuotedAttributeValue: true})
+
+	expect := "<a title='xx'>single-quoted</a>"
+	if html != expect {
+		t.Errorf("TestSingleQuotedAttributeValue expect:%s  but:%s", expect, html)
+
+	}
+
+	source = "<a title='xx'>single-quoted</a>"
+
+	html = FilterXSS(source, XssOption{SingleQuotedAttributeValue: false})
+	expect = "<a title=\"xx\">single-quoted</a>"
+	if html != expect {
+		t.Errorf("TestSingleQuotedAttributeValue expect: %s but:%s", expect, html)
+
+	}
+}