Antonio Petrelli wrote:
2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:
<a href="javascript:alert('1&2>3='+(1&2>3));">Link A</a>
HTML escaped is not equivalent:
<a href="javascript:alert('1&2>3='+(1&2>3));">Link B</a>
You forgot a semicolon. The correct link is:
<a href="javascript:alert('1&2>3='+(1&2>3));">Link B</a>
And it *is* equivalent.
Antonio
Ah, my bad. Okay, I'm convinced. :-)
On that basis, the anchor tag just needs ?html added to the href attribute:
From:
<#if parameters.href?if_exists != "">
href="${parameters.href}"<#rt/>
</#if>
To:
<#if parameters.href?if_exists != "">
href="${parameters.href?html}"<#rt/>
</#if>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]