The value of all href attributes is escaped.

node/utils/ExportHtml.js

@@ -292,7 +292,7 @@ function getHTMLFromAtext(pad, atext)
         var url = urlData[1];
         var urlLength = url.length;
         processNextChars(startIndex - idx);
-        assem.append('<a href="' + url.replace(/\"/g, '&quot;') + '">');
+        assem.append('<a href="' + _escapeHTML(url) + '">');
         processNextChars(urlLength);
         assem.append('</a>');
       });

static/js/domline.js

@@ -162,7 +162,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
         {
           href = "http://"+href;
         }
-        extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
+        extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)

static/js/domline_client.js

@@ -158,7 +158,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
     {
       if (href)
       {
-        extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
+        extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)

static/js/pad_utils.js

@@ -187,7 +187,7 @@ var padutils = {
         var startIndex = urls[j][0];
         var href = urls[j][1];
         advanceTo(startIndex);
-        pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', href.replace(/\"/g, '&quot;'), '">');
+        pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', padutils.escapeHtml(href), '">');
         advanceTo(startIndex + href.length);
         pieces.push('</a>');
       }