Closed jcushman closed 3 years ago
The html() method returns incorrect results in some cases because it fails to escape HTML entities prior to the first tag in the inner HTML:
>>> PyQuery("<foo><script>// uh oh</script>bar<boo/></foo>").html() '<script>// uh oh</script>bar<boo/>'
This has potential security implications for downstream users if processing sanitized user-controlled content.
The fix would be to html-encode tag.text in the html method.
tag.text
Will this be enough if you have childrens ? (also feel free to provide a PR :) )
The html() method returns incorrect results in some cases because it fails to escape HTML entities prior to the first tag in the inner HTML:
This has potential security implications for downstream users if processing sanitized user-controlled content.
The fix would be to html-encode
tag.text
in the html method.