Bugfix: invalid attribute values gave out-of-bounds

Author: tdewolff

html/util.go

@@ -41,19 +41,22 @@ func EscapeAttrVal(buf *[]byte, orig, b []byte) []byte {
 		return orig
 	}
 
+	n := len(b) + 2
 	var quote byte
 	var escapedQuote []byte
 	if doubles > singles {
+		n += singles * 4
 		quote = '\''
 		escapedQuote = singleQuoteEntityBytes
 	} else {
+		n += doubles * 4
 		quote = '"'
 		escapedQuote = doubleQuoteEntityBytes
 	}
-	if len(b)+2 > cap(*buf) {
-		*buf = make([]byte, 0, len(b)+2) // maximum size, not actual size
+	if n > cap(*buf) {
+		*buf = make([]byte, 0, n) // maximum size, not actual size
 	}
-	t := (*buf)[:len(b)+2] // maximum size, not actual size
+	t := (*buf)[:n] // maximum size, not actual size
 	t[0] = quote
 	j := 1
 	start := 0