decoded html entities in href

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

843 stars 213 forks source link

decoded html entities in href #193

Closed fr3akX closed 4 years ago

fr3akX commented 4 years ago

href attribute value has decoded html entities in output.

Example

        String input = "" +
                "<a href=\"/index.php?action=1&order_id=1\">order</a>";
        System.out.println(Sanitizers.LINKS.sanitize(input));

output

<a href="/index.php?action&#61;1ℴ_id&#61;1" rel="nofollow">order</a>

&order is decoded as ℴ, which renders invalid link

yangbongsoo commented 4 years ago

@fr3akX Hello. I think - and _ char may be treated in plain letters. What do you think?