ZK-5766: DomPurify fails with partial html content

zk/src/main/resources/web/js/zk/widget.ts

@@ -3163,9 +3163,9 @@ new zul.wnd.Window({
 			if ((tempHtml = this.domStyle_(no)))
 				outHtml += ' style="' + tempHtml + '"';
 			if ((tempHtml = this.domClass_(no)))
-				outHtml += ' class="' + /*safe*/ zUtl.encodeXMLAttribute(tempHtml) + '"';
+				outHtml += ' class="' + /*safe*/ zUtl.encodeXML(tempHtml) + '"';
 			if ((tempHtml = this.domTooltiptext_()))
-				outHtml += ' title="' + /*safe*/ zUtl.encodeXMLAttribute(tempHtml) + '"'; // ZK-676
+				outHtml += ' title="' + /*safe*/ zUtl.encodeXML(tempHtml) + '"'; // ZK-676
 			if ((tabIndexHtml = /*safe*/ this.getTabindex()) != undefined)
 				outHtml += ' tabindex="' + tabIndexHtml + '"';
 		} else {
@@ -3174,9 +3174,9 @@ new zul.wnd.Window({
 			if (!no.domStyle && (tempHtml = this.domStyle_(no)))
 				outHtml += ' style="' + tempHtml + '"';
 			if (!no.domClass && (tempHtml = this.domClass_(no)))
-				outHtml += ' class="' + /*safe*/ zUtl.encodeXMLAttribute(tempHtml) + '"';
+				outHtml += ' class="' + /*safe*/ zUtl.encodeXML(tempHtml) + '"';
 			if (!no.tooltiptext && (tempHtml = this.domTooltiptext_()))
-				outHtml += ' title="' + /*safe*/ zUtl.encodeXMLAttribute(tempHtml) + '"'; // ZK-676
+				outHtml += ' title="' + /*safe*/ zUtl.encodeXML(tempHtml) + '"'; // ZK-676
 			if (!no.tabindex && (tabIndexHtml = /*safe*/ this.getTabindex()) != undefined)
 				outHtml += ' tabindex="' + tabIndexHtml + '"';
 		}

zkdoc/release-note

@@ -2,7 +2,8 @@ ZK 10.1.0
 * Features
 
 * Bugs
- ZK-5764: Unable to call original method when using custom ViewModelAnnotationResolver
+  ZK-5764: Unable to call original method when using custom ViewModelAnnotationResolver
+  ZK-5766: DomPurify fails with partial html content
 
 * Upgrade Notes
 

zktest/src/main/webapp/test2/B101-ZK-5766.zul

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+B101-ZK-5766.zul
+
+	Purpose:
+
+	Description:
+
+	History:
+		2024/8/15, Created by jumperchen
+
+Copyright (C) 2024 Potix Corporation. All Rights Reserved.
+
+-->
+<zk>
+	<div>
+		<zscript>
+			<![CDATA[
+      String anotherTooltip = "TEST <a test>...</a> should display in tooltip";
+      String anotherTooltip2 = "TEST <a href>...</a> should display in tooltip";
+	    ]]>
+		</zscript>
+
+		<a tooltiptext="${anotherTooltip}" label="Click here for XSS"/>
+		<button sclass="${anotherTooltip2}" label="Click here for XSS"/>
+
+		<div tooltiptext="${anotherTooltip}">looks ok but</div>
+		<div tooltiptext="${anotherTooltip2}">this causes a problem</div>
+		<window title="click here for xss" sclass="${anotherTooltip2}"></window>
+	</div>
+</zk>

zktest/src/main/webapp/test2/config.properties

@@ -3127,6 +3127,7 @@ B90-ZK-4431.zul=A,E,Multislider
 
 ## B101
 ##zats##B101-ZK-5764.zul=A,E,MVVM,Annotation,Method
+##zats##B101-ZK-5766.zul=A,E,XSS,Security
 
 ##
 # Features - 3.0.x version

zktest/src/test/java/org/zkoss/zktest/zats/test2/B101_ZK_5766Test.java

@@ -0,0 +1,30 @@
+/* B101_ZK_5766Test.java
+
+	Purpose:
+
+	Description:
+
+	History:
+		5:06 PM 2024/8/15, Created by jumperchen
+
+Copyright (C) 2024 Potix Corporation. All Rights Reserved.
+*/
+package org.zkoss.zktest.zats.test2;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+
+import org.zkoss.test.webdriver.WebDriverTestCase;
+
+/**
+ * @author jumperchen
+ */
+public class B101_ZK_5766Test extends WebDriverTestCase {
+
+	@Test
+	public void test() {
+		connect();
+		assertEquals(0, jq("div>:contains(\"should display in tooltip\")").length());
+	}
+}