Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How should, attribute values in HTML context encode ? #3

Open
drmuey opened this issue Nov 4, 2014 · 1 comment
Open

How should, attribute values in HTML context encode ? #3

drmuey opened this issue Nov 4, 2014 · 1 comment

Comments

@drmuey
Copy link
Owner

drmuey commented Nov 4, 2014

e.g. Given what should a " look like if it is in the variable?

Typically the idea is the “caller knows” meaning the caller should do the needful with validating data and escaping input or output based on what it is doing because it knows what it is doing.

Given the first example, the caller should have HTML escaped $value before passing it in.

Seems though that a reasonable exception to that is with " in an attribute value in HTML context.

Seems simple at first but quickly gets weird:

e.g. just turn " into & and we are good right?

Seems like it but what happens when it is " or " or \" or …?

Should we do them all, none, or some (i.e. ones with an odd # of \ before it)?

What if I want a backslashed " but this makes me encode?
@drmuey drmuey changed the title Should, attribute values in HTML context encode ? How should, attribute values in HTML context encode ? Nov 4, 2014
@drmuey
Copy link
Owner Author

drmuey commented Nov 4, 2014

BTW, thanks to JD for asking about this prompting this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@drmuey