Escape quotes in attribute values

Object-oriented generation of HTML code on .NET 4 Client Profile

Status: Beta

Brought to you by: psionski

#9 Escape quotes in attribute values

Milestone: Beta

Status: pending

Owner: Psion Ski

Labels: security (2)

Updated: 2012-09-26

Created: 2012-06-18

Creator: Psion Ski

Private: No

Element attribute values shouldn't contain quotes. Look for a proven method to sanitize them (xml.sax.saxutils.quoteattr in Python?) and implement it.

Discussion

Psion Ski - 2012-09-26

status: open --> pending

assigned_to: Vladislav Zorov
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Psion Ski - 2012-09-26

We already escape attribute values in this fashion. There still exists a possible attack vector, which is visible as a failed test in the current version of the code.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Escape quotes in attribute values

Object-oriented generation of HTML code on .NET 4 Client Profile

Milestone

Searches

Help

#9 Escape quotes in attribute values

Discussion