Closed Mardak closed 10 years ago
using https://github.com/Mardak/profile/blob/master/data/js/bleach.js#L95 we should prevent injection by escaping html attributes.
Note that URLs need to be handled differently, as documented by #67
bleach.escapeHTML('aaa<bbb>ccc:ddd/eee"fff;ggg?hhh#iii')
returns this right now "aaa<bbb>ccc:ddd/eee"fff;ggg?hhh#iii"
and works fine when using .innerHTML even though "
is "
i guess that is sanitizing. but not escaping ;-)
ah, i see, my eyes mis-parsed the hash
Bleach.clean is not an acceptable way of sanitizing data used for attribute values. Please simply escape HTML metacharacters directly.