I have potentially unsafe string like this:
testxssattack<script>confirm(xssattack)</script>
Why my policy changes < to < ?
Hex format is more safe than HTML entity in my application and i don't want for
antisamy to make this kind of replacement. Is there any way to change this
behaviour? Inb4 any answer, directive:
<directive name="entityEncodeIntlChars" value="false"/>
doesn't change anything in this case, neither true nor false.
Original issue reported on code.google.com by braindwe...@gmail.com on 23 Oct 2014 at 2:39
Original issue reported on code.google.com by
braindwe...@gmail.comon 23 Oct 2014 at 2:39