2 files changed, 24 insertions, 12 deletions
diff --git a/phpBB/assets/javascript/editor.js b/phpBB/assets/javascript/editor.js
index d0d849330a..878a5cab86 100644
--- a/phpBB/assets/javascript/editor.js
+++ b/phpBB/assets/javascript/editor.js
@@ -250,13 +250,13 @@ function generate_quote(text, attributes)
 	if ('author' in attributes)
 	{
 		// Add the author as the BBCode's default attribute
-		quote += '=' + enquote(attributes.author);
+		quote += '=' + format_attribute_value(attributes.author);
 		delete attributes.author;
 	}
 	for (var name in attributes)
 	{
 		var value = attributes[name];
-		quote += ' ' + name + '=' + enquote(String(value));
+		quote += ' ' + name + '=' + format_attribute_value(String(value));
 	}
 	quote += ']' + text + '[/quote]';
 
@@ -264,16 +264,22 @@ function generate_quote(text, attributes)
 }
 
 /**
-* Return given string between quotes
+* Format given string to be used as an attribute value
 *
-* Will use either single- or double- quotes depending on whichever requires less escaping.
+* Will return the string as-is if it can be used in a BBCode without quotes. Otherwise,
+* it will use either single- or double- quotes depending on whichever requires less escaping.
 * Quotes and backslashes are escaped with backslashes where necessary
 *
 * @param  {!string} str Original string
-* @return {!string}     Escaped string within quotes
+* @return {!string}     Same string if possible, escaped string within quotes otherwise
 */
-function enquote(str)
+function format_attribute_value(str)
 {
+	if (!/[ "'\\\]]/.test(str))
+	{
+		// Return as-is if it contains none of: space, ' " \ or ]
+		return str;
+	}
 	var singleQuoted = "'" + str.replace(/[\\']/g, '\\$&') + "'",
 		doubleQuoted = '"' + str.replace(/[\\"]/g, '\\$&') + '"';
 
diff --git a/phpBB/phpbb/textformatter/s9e/utils.php b/phpBB/phpbb/textformatter/s9e/utils.php
index df1966fa32..40479b3423 100644
--- a/phpBB/phpbb/textformatter/s9e/utils.php
+++ b/phpBB/phpbb/textformatter/s9e/utils.php
@@ -35,16 +35,22 @@ class utils implements \phpbb\textformatter\utils_interface
 	}
 
 	/**
-	* Return given string between quotes
+	* Format given string to be used as an attribute value
 	*
-	* Will use either single- or double- quotes depending on whichever requires less escaping.
+	* Will return the string as-is if it can be used in a BBCode without quotes. Otherwise,
+	* it will use either single- or double- quotes depending on whichever requires less escaping.
 	* Quotes and backslashes are escaped with backslashes where necessary
 	*
 	* @param  string $str Original string
-	* @return string      Escaped string within quotes
+	* @return string      Same string if possible, escaped string within quotes otherwise
 	*/
-	protected function enquote($str)
+	protected function format_attribute_value($str)
 	{
+		if (!preg_match('/[ "\'\\\\\\]]/', $str))
+		{
+			// Return as-is if it contains none of: space, ' " \ or ]
+			return $str;
+		}
 		$singleQuoted = "'" . addcslashes($str, "\\'") . "'";
 		$doubleQuoted = '"' . addcslashes($str, '\\"') . '"';
 
@@ -61,13 +67,13 @@ class utils implements \phpbb\textformatter\utils_interface
 		if (isset($attributes['author']))
 		{
 			// Add the author as the BBCode's default attribute
-			$quote .= '=' . $this->enquote($attributes['author']);
+			$quote .= '=' . $this->format_attribute_value($attributes['author']);
 			unset($attributes['author']);
 		}
 		ksort($attributes);
 		foreach ($attributes as $name => $value)
 		{
-			$quote .= ' ' . $name . '=' . $this->enquote($value);
+			$quote .= ' ' . $name . '=' . $this->format_attribute_value($value);
 		}
 		$quote .= ']';
 		$newline = (strlen($quote . $text . '[/quote]') > 80 || strpos($text, "\n") !== false) ? "\n" : '';