Comment #4 on issue 2217 by [email protected]: HTML extensions to
String.prototype shouldn’t escape ', < and > in argument values; only "
http://code.google.com/p/v8/issues/detail?id=2217
A quick test on firefox 13 shows:
'abc'.link('url">xyz</a><script>alert("fail")</script><a href="url2')
returns
"<a href="url">xyz</a><script>alert("fail")</script><a href="url2">abc</a>"
so apparently they are not escaping anything at all.
Since String.prototype.link etc. are not part of ECMA-262 and
escaping "<", ">" and "'" won't cause any harm, I don't see why this change
is necessary.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
