[Owasp-antisamy] Ampersand character in title attribute
augustd at codemagi.com
Mon Feb 22 18:21:37 EST 2010
With the default regex, it does not matter whether the ampersand is
encoded or not. "Full Q&A Session", "Full Q&A Session" and "Full
Q&A Session" fail the AntiSamy check, but "Full QA Session" does
not. This implies that any other encoded character will also fail, since
the ampersand is used in all of them.
On 2/22/10 1:45 PM, Dave Moore wrote:
> i'm not a dev on the team, but the markup looks invalid, it should be
> & -- the text inside html attributes has to be escaped.
> On Mon, Feb 22, 2010 at 15:19, August Detlefsen <augustd at codemagi.com
> <mailto:augustd at codemagi.com>> wrote:
> AntiSamy is rejecting the ampersand character in the title
> attribute of
> an href. If my input is:
> <a href="/some/page" title="Full Q&A Session" />
> It rejects the tag due to the &.
> Do you know of any reason why that character should be banned from a
> title? It seems like it would be present a lot if you are encoding
> special characters...
> Is it safe to adjust the default regex for the title field to
> allow the
> August Detlefsen
> CEO/Web Application Architect
> CodeMagi, Inc.
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org <mailto:Owasp-antisamy at lists.owasp.org>
CEO/Web Application Architect
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy