Closed sipsorcery closed 1 year ago
In answer to my own question it does seem to be correct behaviour.
Chrome renders <p>I will display ¤</p>
as I will display ¤
.
An alternative question is, is there an option to turn off HTML entities with the HTMLFormatter? Or is there a better approach?
Turnng off HTML entity parsing doesn't seem to be an option https://github.com/mganss/HtmlSanitizer/issues/62.
See #362
Hi,
I'm using the snippet below to check HTTP POST strings for potential XSS attacks.
It works well but today I hit s sang where a partial HTML entity was decoded as an HTML entity and thereby triggered the check.
With an input of:
merchantID=6f80138d-870b-4b07-8bc4-a4fd33a0d30f¤cy=GBP&accountName=Curl%203
the
sanitized
value is:merchantID=6f80138d-870b-4b07-8bc4-a4fd33a0d30f¤cy=GBP&accountName=Curl 3
So
¤
is being converted to¤
. Is that correct behaviour? Shouldn't it need to be¤
(with terminating semi-colon) to be treated as an HTML entity?