From c9eecb93f8fbbae1de42c5ccd6bf5a7b058162aa Mon Sep 17 00:00:00 2001
From: Nikita Hovratov <nikita.h@live.de>
Date: Sun, 16 Feb 2020 22:12:31 +0100
Subject: [PATCH] [BUGFIX] Ignore quotes in tag attribute value decoding

This patch: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62227
introduced decoding of attribute values in tags. This was necessary for
email link parameter, but broke html inside attribute tags, because
quotes were left unescaped.

Resolves: #90339
Releases: master, 9.5
Change-Id: I3c336901df6e3ee5eeea46888db11c40986ced56
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63274
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Richard Haeser <richard@maxserv.com>
---
 typo3/sysext/core/Classes/Utility/GeneralUtility.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
index 56976fa33dc1..7bf446ce1443 100644
--- a/typo3/sysext/core/Classes/Utility/GeneralUtility.php
+++ b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -1227,7 +1227,7 @@ class GeneralUtility
             if ($val !== '=') {
                 if ($valuemode) {
                     if ($name) {
-                        $attributes[$name] = htmlspecialchars_decode($val);
+                        $attributes[$name] = htmlspecialchars_decode($val, ENT_NOQUOTES);
                         $name = '';
                     }
                 } else {
-- 
GitLab