Hi When I use XSSAPI.encodeForHTMLAttr() with this value:
/content/dam/test-folder/"><img src=x onerror=alert(document.cookie)>.html The resulting html tag will be closed on the <img> tag is injected. I would assume that a method like this will not allow the HTML Attribute to be closed let alone to close the tag altogether. Is there a way to fix that within the Sling XSS suite ? Is that a shortcoming / bug ? Thanks - Andy
