SRocha147
commented
10 years ago Looks like GitHub's XSS prevention delimited my HTML. For the following pastes, the HTML symbol for less than should be used. This symbol is expressed as ampersand lower-case L lower-case T semicolon.
to reproduce this is to try entering the following into the console of an environment properly set up with alertify.js:
alertify.success('<')
The above code will produce the following:
<
Hello,
I am working on a project, and we are guarding against XSS by encoding HTML characters in jQuery. The following attack string:
would be translated to:
<script>alert(123);</script>
We are satisfied with the look of this for our release and are trying to eliminate any inconsistencies (i.e., any place which still displays rather than the HTML encoded form I have pasted above). We noticed that when using alertify.success, the function automatically decodes HTML. This produces no security problems for us but does cause a less than ideal user-experience in some select cases. A simple example to reproduce this is to try entering the following into the console of an environment properly set up with alertify.js:
alertify.success('<')
The above code will produce the following:
<
This is not what we want. Are there any work-arounds in the current API that would allow us to avoid the automatic HTML decoding, so instead produce the following result?
<
Thanks! Sam Rockwell