html_attr: do not escape colons

Author: gharlan

src/Runtime/EscaperRuntime.php

@@ -259,7 +259,7 @@ public function escape($string, string $strategy = 'html', ?string $charset = nu
                     throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
                 }
 
-                $string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_]#Su', function ($matches) {
+                $string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_:]#Su', function ($matches) {
                     /**
                      * This function is adapted from code coming from Zend Framework.
                      *

tests/Runtime/EscaperRuntimeTest.php

@@ -38,6 +38,7 @@ class EscaperRuntimeTest extends TestCase
         '.' => '.',
         '-' => '-',
         '_' => '_',
+        ':' => ':',
         /* Basic alnums excluded */
         'a' => 'a',
         'A' => 'A',
@@ -300,7 +301,7 @@ public function testJavascriptEscapingEscapesOwaspRecommendedRanges()
 
     public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()
     {
-        $immune = [',', '.', '-', '_']; // Exceptions to escaping ranges
+        $immune = [',', '.', '-', '_', ':']; // Exceptions to escaping ranges
         for ($chr = 0; $chr < 0xFF; ++$chr) {
             if ($chr >= 0x30 && $chr <= 0x39
             || $chr >= 0x41 && $chr <= 0x5A