[4.x]: attr filter double-encoding existing class and style attributes

[mmikkel]

What happened?

Description

If the attr filter is applied to a tag that already had its attributes encoded, any exploded attributes like class and style, will become double-encoded.

The reason seems to be that Html::parseTagAttributes() doesn't account for exploded attributes:

cms/src/helpers/Html.php

Line 361 in 2c347e1

if (is_string($value)) {

Related: #12886

Steps to reproduce

Applying multiple |attr filters to the same tag will double encode ampersands (i.e. to & instead of the expected &) in the class attribute:

{% apply attr({ disabled: true })|attr({ type: 'button' }) %}
    <button class="[&[disabled]]:opacity-50">
{% endapply %}

The double-encoding also happens if a tag is rendered using the {% tag %} tag or tag() function, and then has the attr filter applied to it:

{{ tag('button', { class: '[&[disabled]]:opacity-50' })|attr({ disabled: true }) }}

Expected behavior

The attr filter should never double-encode existing attributes.

Actual behavior

The attr filter will double-encode certain existing attributes, such as class and style.

Craft CMS version

4.4.1

PHP version

8.1.12

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

None

[brandonkelly]

Thanks for reporting! Craft 3.8.2 and 4.4.2 are out now with a fix.

[mmikkel]

Awesome, thanks a lot Brandon 🚀