Difference between encodeForHTMLAttribute and encodeForHTML

[GoogleCodeExporter]

As I have seen in the source code the single difference between 
ESAPI.encoder().encodeForHTML() and ESAPI.encoder().encodeForHTMLAttribute()
is that ' ' is part of the whitelist in encodeForHTML() and therefore not 
encoded. 

ESAPI.encoder().encodeForHTMLAttribute() does indeed neither encode ' ' as it 
is part of the UNENCODED_SET (line 73 HTMLEntityCode). 

Since the two methods do apparently the same (or did I miss some point?), why 
is there a need to make a distinction?

Original issue reported on code.google.com by wettstei...@gmail.com on 18 Jul 2012 at 10:31

[GoogleCodeExporter]

Yes.. I too found the same difference between('space' whitelisted in 
encodeForHTML) the two (Or am I missing something ?) .. 
If that is the case , why not use encodeForHTMLAttribute in all the places 
replacing encodeForHTML.. ?
will this cause some other problem?

Please throw us some light . 
Awaiting your help.

Thanks in Advance,
Dinesh

Original comment by asdinesh...@gmail.com on 16 Aug 2012 at 4:00

[GoogleCodeExporter]

I had the same question and it looks like the only different is in 
org/owasp/esapi/reference/DefaultEncoder.java:

    private final static char[]     IMMUNE_HTML = { ',', '.', '-', '_', ' ' };
    private final static char[] IMMUNE_HTMLATTR = { ',', '.', '-', '_' };

However, I wasn't able to find the UNENCODE_SET in HTMLEntityCodec like 
mentioned above. So it does seem like this is performing two separate functions.

Also, I'm curious how the attack vector works. I found this:

<img src=  onerror=alert("XSS");>

Does anybody know what browsers this fires on? Does anybody have a different 
vector?

Original comment by abashkin...@gmail.com on 24 Sep 2012 at 7:29

[GoogleCodeExporter]

Also, is there a big impact if we decide to encode the space for both HTML and 
HTMLAttr?

Original comment by abashkin...@gmail.com on 24 Sep 2012 at 7:31