[CMR-824][3.x] Encode html entities in metatag values

kitodo / kitodo-publication

Kitodo.Publication

GNU General Public License v3.0

13 stars 13 forks source link

[CMR-824][3.x] Encode html entities in metatag values #163

Closed Erikmitk closed 4 years ago

Erikmitk commented 4 years ago

This prevents (among other things) double quotes leaking in the HTML output and breaking the tags by correctly encoding HTML entities before writing the output.

I could not generate these cases in the backend but a quick test to verify is simply setting the meta tag $value in code directly before the output to something like $value='"TestMitUmlauten&Anführungszeichen"';. Without the htmlspecialchars the source is broken due to the nesting of double quotes.

henning-gerhardt commented 4 years ago

Is using CDATA (<![CDATA[characters with markup]]>) not a good alternative instead of escaping any HTML character?

Erikmitk commented 4 years ago

Is using CDATA (<![CDATA[characters with markup]]>) not a good alternative instead of escaping any HTML character?

No. That makes no sense since I'm populating an HTML element's attribute. CDATA has no meaning there and would be interpreted as a string.