florentulve / owasp-esapi-js

Automatically exported from code.google.com/p/owasp-esapi-js
Other
0 stars 0 forks source link

encodeForHTMLAttribute does not encode space character #20

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
$ESAPI.encoder().encodeForHTMLAttribute(' ') should return   as space 
character is not in present in IMMUNE_HTMLATTR

This could cause breakage in HTML Attribute

Ex:
document.getElementByID("test").innerHTML="<div 
data="+$ESAPI.encoder().encodeForHTMLAttribute('test xyz')+">This is a 
test</div>";

Would result in the following HMTL content

<div data="test" xyz="">This is a test</div>

Original issue reported on code.google.com by chandru...@gmail.com on 23 Jul 2015 at 6:45