On Mon, Dec 19, 2011 at 2:09 AM, Jasper Van der Jeugt
Hello all,
A proposed change to blaze-html came up. In order to make the best decision, I'd like to ask the advice of this list.
Currently, the blaze-html library escapes a single quote (') to '.
John MacFarlane brought up [1] the fact that this character doesn't need to be excaped in theory. This would have two advantages:
- Easier readable output - Saves a few bytes, hence, faster
Why doesn't blaze-html need to escape (')? According to the standards, (') only needs to be escaped when it appears inside an attribute value, because something like:
a ! href "'content..."
could be rendered to
and an end-user might be able to inject malicious content. However, blaze-html *always* uses double quotes for attribute values. This means that the previous example would be safely rendered to
On the other hand, most sources [2] recommend escaping the (') character, and perhaps it's better to be safe than sorry.
Any opinions on this case?
[1]: https://github.com/jaspervdj/blaze-html/pull/48 [2]: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Ch...
Cheers, Jasper
I think leaving it unescaped is fine; I can't think of any way that could lead to bugs. Michael