[web-devel] Escaping of (') in blaze-html

Jasper Van der Jeugt m at jaspervdj.be
Mon Dec 19 01:09:31 CET 2011


Hello all,

A proposed change to blaze-html came up. In order to make the best
decision, I'd like to ask the advice of this list.

Currently, the blaze-html library escapes a single quote (') to '.

John MacFarlane brought up [1] the fact that this character doesn't need
to be excaped in theory. This would have two advantages:

- Easier readable output
- Saves a few bytes, hence, faster

Why doesn't blaze-html need to escape (')? According to the standards,
(') only needs to be escaped when it appears inside an attribute value,
because something like:

    a ! href "'content..."

could be rendered to

    <a href ='' content...'

and an end-user might be able to inject malicious content. However,
blaze-html *always* uses double quotes for attribute values. This means
that the previous example would be safely rendered to

    <a href ="' content..."

On the other hand, most sources [2] recommend escaping the (')
character, and perhaps it's better to be safe than sorry.

Any opinions on this case?

[1]: https://github.com/jaspervdj/blaze-html/pull/48
[2]: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

Cheers,
Jasper



More information about the web-devel mailing list