OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
493 stars 111 forks source link

Confusing example in Encode.forHtmlAttribute docs #71

Closed meeque closed 3 months ago

meeque commented 6 months ago

Currently the Encode.forHtmlAttribute JavaDocs contain this JSP example:

<div><%=Encode.forHtmlAttribute(unsafeData)%></div>

I guess this may be secure, but imho it does not reflect the intention of this method. How about using an example that involves html attributes? Maybe something like this:

<div title="<%=Encode.forHtmlAttribute(unsafeData)%>">...</div>
<div title='<%=Encode.forHtmlAttribute(unsafeData)%>'>...</div>

Imho the JavaDocs should also mention that the caller of this method must add quotes around the outputs of this method.

If you think any of this is helpful, I can prepare a PR.

kwwall commented 6 months ago

I agree. That's a Javadoc bug. I thought that quotes were mentioned as being required somewhere in the Encode Javadoc, but I could be wrong about that.

I'd say PR away, but that's not really my call.

meeque commented 6 months ago

Well, I've proposed PR #72 to fix this. Feel free to provide feedback...

jeremylong commented 3 months ago

PR has been merged. Thanks again for the PR!