X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=_source%2Fplugins%2Fhtmlwriter%2Fplugin.js;h=46faddec28f865127cc1fb40dfc7da9d93ad60f1;hb=e7789c1ad838194d45eeee6ac2eb6e55f5cf35a1;hp=5c4a7be25fa906e8b773e015ed4244895877fffb;hpb=941b0a9ba4e673e292510d80a5a86806994b8ea6;p=ckeditor.git

diff --git a/_source/plugins/htmlwriter/plugin.js b/_source/plugins/htmlwriter/plugin.js
index 5c4a7be..46fadde 100644
--- a/_source/plugins/htmlwriter/plugin.js
+++ b/_source/plugins/htmlwriter/plugin.js
@@ -171,8 +171,13 @@ CKEDITOR.htmlWriter = CKEDITOR.tools.createClass(
 		 */
 		attribute : function( attName, attValue )
 		{
-			if ( this.forceSimpleAmpersand )
-				attValue = attValue.replace( /&/, '&' );
+
+			if ( typeof attValue == 'string' )
+			{
+				this.forceSimpleAmpersand && ( attValue = attValue.replace( /&/g, '&' ) );
+				// Browsers don't always escape special character in attribute values. (#4683, #4719).
+				attValue = CKEDITOR.tools.htmlEncodeAttr( attValue );
+			}
 
 			this._.output.push( ' ', attName, '="', attValue, '"' );
 		},