Alex Milowski wrote:
James M Snell wrote:
I'm assuming that in the Title header, characters such as & and < should
be interpreted literally and not as markup.. e.g., "Title: Big & Tall"
would correspond to <title>Big & Tall</title>. However, the spec
doesn't have any text to back up this assumption. Should it?
Yes! Good catch.
Otherwise, people will get it wrong...
I don't we can say don't escape user input assuming Title will get
placed into entry markup, and rendered as HTML who knows where after
that. I think Title need to be considered tainted content, ie we'll
have to say something about it and XSS in the security sections.
cheers
Bill
