#103 Escaping of html attributes

[Dave]

In https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes they clearly define the need for different kinds of escaping in (different kinds of) attributes. It would be nice if the (exhaustive) OWASP escaping list of methods are available in FreeMarker. AFAICT only html, js and url escaping are available.

[Dániel Dékány]

I will read that through as time allows. But if you can tell concrete issues that helps. Like, assuming you set incompatible_improvements to 2.3.20, so that apostrophe-quote is escaped, are you aware of any trick to break out of myAttr='${value?html}' or myAttr="${value?html}"?

[Dave]

I saw the options you provided in the docs.

No, I am not aware of being able to break out of a quote. Quoting :-) : 'Properly quoted attributes can only be escaped with the corresponding quote.'.

[Dániel Dékány]

The template author is supposed to quote attribute values. If he doesn't because he forgets to or doesn't know that he should to, then surely he wont use some kind of special escaping (?attr_n_q or something) that allows unquoted attribute values... So that's basically my problem with overly specialized escapings. Almost nobody will understand them (heck, half of the developers don't even understand ?html), not to mention remembering and using them.