You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
e.g. Given what should a " look like if it is in the variable?
Typically the idea is the “caller knows” meaning the caller should do the needful with validating data and escaping input or output based on what it is doing because it knows what it is doing.
Given the first example, the caller should have HTML escaped $value before passing it in.
Seems though that a reasonable exception to that is with " in an attribute value in HTML context.
Seems simple at first but quickly gets weird:
e.g. just turn " into & and we are good right?
Seems like it but what happens when it is " or " or \" or …?
Should we do them all, none, or some (i.e. ones with an odd # of \ before it)?
What if I want a backslashed " but this makes me encode?
The text was updated successfully, but these errors were encountered:
drmuey
changed the title
Should, attribute values in HTML context encode ?
How should, attribute values in HTML context encode ?
Nov 4, 2014
e.g. Given what should a " look like if it is in the variable?
Typically the idea is the “caller knows” meaning the caller should do the needful with validating data and escaping input or output based on what it is doing because it knows what it is doing.
Given the first example, the caller should have HTML escaped $value before passing it in.
Seems though that a reasonable exception to that is with " in an attribute value in HTML context.
Seems simple at first but quickly gets weird:
e.g. just turn " into & and we are good right?
Seems like it but what happens when it is " or " or \" or …?
Should we do them all, none, or some (i.e. ones with an odd # of \ before it)?
What if I want a backslashed " but this makes me encode?
The text was updated successfully, but these errors were encountered: