Status: New
Owner: ----
New issue 2217 by [email protected]: HTML extensions to String.prototype
shouldn’t escape ', < and > in argument values; only "
http://code.google.com/p/v8/issues/detail?id=2217
Currently:
'_'.link('<\'>"')
"<a href="<'>"">_</a>"
The escapes for ', < and > are unneeded and don’t add any protection, as
they’re used in an HTML attribute value quoted using double quotes.
http://mathias.html5.org/specs/javascript/#escapeattributevalue only
requires escaping the ". So, it should be:
'_'.link('<\'>"')
"<a href="<'>"">_</a>"
Note that no other engine/browser escapes ', < and > in this case. " must
be escaped for security reasons, but V8 does that just fine.
Here’s a list of the affected methods:
* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)
* String.prototype.link(href)
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
