[web-devel] Escaping of (') in blaze-html

Michael Snoyman michael at snoyman.com
Mon Dec 19 05:36:36 CET 2011


On Mon, Dec 19, 2011 at 2:09 AM, Jasper Van der Jeugt <m at jaspervdj.be> wrote:
> Hello all,
>
> A proposed change to blaze-html came up. In order to make the best
> decision, I'd like to ask the advice of this list.
>
> Currently, the blaze-html library escapes a single quote (') to &#39;.
>
> John MacFarlane brought up [1] the fact that this character doesn't need
> to be excaped in theory. This would have two advantages:
>
> - Easier readable output
> - Saves a few bytes, hence, faster
>
> Why doesn't blaze-html need to escape (')? According to the standards,
> (') only needs to be escaped when it appears inside an attribute value,
> because something like:
>
>    a ! href "'content..."
>
> could be rendered to
>
>    <a href ='' content...'
>
> and an end-user might be able to inject malicious content. However,
> blaze-html *always* uses double quotes for attribute values. This means
> that the previous example would be safely rendered to
>
>    <a href ="' content..."
>
> On the other hand, most sources [2] recommend escaping the (')
> character, and perhaps it's better to be safe than sorry.
>
> Any opinions on this case?
>
> [1]: https://github.com/jaspervdj/blaze-html/pull/48
> [2]: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
>
> Cheers,
> Jasper

I think leaving it unescaped is fine; I can't think of any way that
could lead to bugs.

Michael



More information about the web-devel mailing list