Closed Mardak closed 10 years ago
oyiptong
commented
10 years ago using https://github.com/Mardak/profile/blob/master/data/js/bleach.js#L95 we should prevent injection by escaping html attributes.
Note that URLs need to be handled differently, as documented by #67
Mardak
commented
10 years ago bleach.escapeHTML('aaa<bbb>ccc:ddd/eee"fff;ggg?hhh#iii') returns this right now "aaa<bbb>ccc:ddd/eee"fff;ggg?hhh#iii" and works fine when using .innerHTML even though " is "
oyiptong
commented
10 years ago i guess that is sanitizing. but not escaping ;-)
oyiptong
commented
10 years ago ah, i see, my eyes mis-parsed the hash
Bleach.clean is not an acceptable way of sanitizing data used for attribute values. Please simply escape HTML metacharacters directly.