Closed alb-xss closed 1 year ago
Describe the bug The pagination HTML result contains encoded HTML entities, even for class names, href, etc.
To Reproduce Steps to reproduce the behavior:
Example <div class="pagination-container"><ul class="pagination"><li class="active"><span>1</span></li><li><a href="[/?page=2](view-source:https://localhost:44326/?page=2)">2</a></li><li><a href="[/?page=3](view-source:https://localhost:44326/?page=3)">3</a></li><li><a href="[/?page=4](view-source:https://localhost:44326/?page=4)">4</a></li><li><a href="[/?page=5](view-source:https://localhost:44326/?page=5)">5</a></li><li><a href="[/?page=6](view-source:https://localhost:44326/?page=6)">6</a></li><li><a href="[/?page=7](view-source:https://localhost:44326/?page=7)">7</a></li><li><a href="[/?page=8](view-source:https://localhost:44326/?page=8)">8</a></li><li><a href="[/?page=9](view-source:https://localhost:44326/?page=9)">9</a></li><li><a href="[/?page=10](view-source:https://localhost:44326/?page=10)">10</a></li><li class="PagedList-ellipses"><a class="PagedList-skipToNext" href="[/?page=11](view-source:https://localhost:44326/?page=11)" rel="next">…</a></li><li class="PagedList-skipToNext"><a href="[/?page=2](view-source:https://localhost:44326/?page=2)" rel="next">></a></li><li class="PagedList-skipToLast"><a href="[/?page=441](view-source:https://localhost:44326/?page=441)">>></a></li></ul></div>
<div class="pagination-container"><ul class="pagination"><li class="active"><span>1</span></li><li><a href="[/?page=2](view-source:https://localhost:44326/?page=2)">2</a></li><li><a href="[/?page=3](view-source:https://localhost:44326/?page=3)">3</a></li><li><a href="[/?page=4](view-source:https://localhost:44326/?page=4)">4</a></li><li><a href="[/?page=5](view-source:https://localhost:44326/?page=5)">5</a></li><li><a href="[/?page=6](view-source:https://localhost:44326/?page=6)">6</a></li><li><a href="[/?page=7](view-source:https://localhost:44326/?page=7)">7</a></li><li><a href="[/?page=8](view-source:https://localhost:44326/?page=8)">8</a></li><li><a href="[/?page=9](view-source:https://localhost:44326/?page=9)">9</a></li><li><a href="[/?page=10](view-source:https://localhost:44326/?page=10)">10</a></li><li class="PagedList-ellipses"><a class="PagedList-skipToNext" href="[/?page=11](view-source:https://localhost:44326/?page=11)" rel="next">…</a></li><li class="PagedList-skipToNext"><a href="[/?page=2](view-source:https://localhost:44326/?page=2)" rel="next">></a></li><li class="PagedList-skipToLast"><a href="[/?page=441](view-source:https://localhost:44326/?page=441)">>></a></li></ul></div>
Expected behavior HTML attributes should not be entity encoded
Describe the bug The pagination HTML result contains encoded HTML entities, even for class names, href, etc.
To Reproduce Steps to reproduce the behavior:
Example
<div class="pagination-container"><ul class="pagination"><li class="active"><span>1</span></li><li><a href="[/?page=2](view-source:https://localhost:44326/?page=2)">2</a></li><li><a href="[/?page=3](view-source:https://localhost:44326/?page=3)">3</a></li><li><a href="[/?page=4](view-source:https://localhost:44326/?page=4)">4</a></li><li><a href="[/?page=5](view-source:https://localhost:44326/?page=5)">5</a></li><li><a href="[/?page=6](view-source:https://localhost:44326/?page=6)">6</a></li><li><a href="[/?page=7](view-source:https://localhost:44326/?page=7)">7</a></li><li><a href="[/?page=8](view-source:https://localhost:44326/?page=8)">8</a></li><li><a href="[/?page=9](view-source:https://localhost:44326/?page=9)">9</a></li><li><a href="[/?page=10](view-source:https://localhost:44326/?page=10)">10</a></li><li class="PagedList-ellipses"><a class="PagedList-skipToNext" href="[/?page=11](view-source:https://localhost:44326/?page=11)" rel="next">…</a></li><li class="PagedList-skipToNext"><a href="[/?page=2](view-source:https://localhost:44326/?page=2)" rel="next">></a></li><li class="PagedList-skipToLast"><a href="[/?page=441](view-source:https://localhost:44326/?page=441)">>></a></li></ul></div>Expected behavior HTML attributes should not be entity encoded