From 39662b0c782c384159ac21f4cd1f8f791aec6d7d Mon Sep 17 00:00:00 2001
From: Will Pimblett <will@wjdp.uk>
Date: Thu, 6 Sep 2018 01:02:03 +0100
Subject: [PATCH] Fix panic when meta url starts with single or double quote

Will now raise an issue that meta url should not start with these characters as per spec

https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-refresh

> For meta elements with an http-equiv attribute in the Refresh state, the content attribute must have a value consisting either of:
>
> - just a valid non-negative integer, or
> - a valid non-negative integer, followed by a U+003B SEMICOLON character (;), followed by one or more ASCII whitespace, followed by a substring that is an ASCII case-insensitive match for the string "URL", followed by a U+003D EQUALS SIGN character (=), followed by a valid URL string that does not start with a literal U+0027 APOSTROPHE (') or U+0022 QUOTATION MARK (") character.
---
 htmltest/check-meta.go                | 9 +++++++++
 htmltest/check-meta_test.go           | 7 +++++++
 htmltest/fixtures/meta/issues/92.html | 8 ++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 htmltest/fixtures/meta/issues/92.html

diff --git a/htmltest/check-meta.go b/htmltest/check-meta.go
index 6db53e4..f4d50e5 100644
--- a/htmltest/check-meta.go
+++ b/htmltest/check-meta.go
@@ -28,6 +28,15 @@ func (hT *HTMLTest) checkMetaRefresh(document *htmldoc.Document, node *html.Node
 		// Define ref from this
 		var ref *htmldoc.Reference
 		if len(contentSplit) == 2 {
+			if contentSplit[1][0]==34 || contentSplit[1][0]==39 {
+				hT.issueStore.AddIssue(issues.Issue{
+					Level:     issues.LevelError,
+					Message:   "url in meta refresh must not start with single or double quote",
+					Reference: ref,
+				})
+				return
+			}
+
 			ref = htmldoc.NewReference(document, node, contentSplit[1])
 		} else {
 			ref = htmldoc.NewReference(document, node, "")
diff --git a/htmltest/check-meta_test.go b/htmltest/check-meta_test.go
index 777c0ef..921462b 100644
--- a/htmltest/check-meta_test.go
+++ b/htmltest/check-meta_test.go
@@ -83,3 +83,10 @@ func TestMetaRefreshContentInvalid(t *testing.T) {
 	tExpectIssueCount(t, hT3, 1)
 	tExpectIssue(t, hT3, "invalid content attribute in meta refresh", 1)
 }
+
+// Fails when meta refresh url starts with a single or double quote
+func TestIssue92(t *testing.T) {
+	hT := tTestFile("fixtures/meta/issues/92.html")
+	tExpectIssueCount(t, hT, 2)
+	tExpectIssue(t, hT, "url in meta refresh must not start with single or double quote", 2)
+}
diff --git a/htmltest/fixtures/meta/issues/92.html b/htmltest/fixtures/meta/issues/92.html
new file mode 100644
index 0000000..f49d065
--- /dev/null
+++ b/htmltest/fixtures/meta/issues/92.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <title>ox-hugo Test Site</title>
+    <meta http-equiv="refresh" content="0; URL='https://github.com/kaushalmodi/ox-hugo/issues'" />
+    <meta http-equiv="refresh" content='0; URL="https://github.com/kaushalmodi/ox-hugo/issues"' />
+</head>
+</html>