[Owasp-antisamy] Ampersand character in title attribute

August Detlefsen augustd at codemagi.com
Mon Feb 22 18:21:37 EST 2010


With the default regex, it does not matter whether the ampersand is 
encoded or not. "Full Q&A Session", "Full Q&A Session" and "Full 
Q&A Session" fail the AntiSamy check, but "Full QA Session" does 
not. This implies that any other encoded character will also fail, since 
the ampersand is used in all of them.

-August


On 2/22/10 1:45 PM, Dave Moore wrote:
> i'm not a dev on the team, but the markup looks invalid, it should be 
> & -- the text inside html attributes has to be escaped.
>
> -dave
>
> On Mon, Feb 22, 2010 at 15:19, August Detlefsen <augustd at codemagi.com 
> <mailto:augustd at codemagi.com>> wrote:
>
>     AntiSamy is rejecting the ampersand character in the title
>     attribute of
>     an href. If my input is:
>
>     <a href="/some/page" title="Full Q&A Session" />
>
>     It rejects the tag due to the &.
>
>     Do you know of any reason why that character should be banned from a
>     title? It seems like it would be present a lot if you are encoding
>     special characters...
>
>     Is it safe to adjust the default regex for the title field to
>     allow the
>     ampersand?
>
>     Thanks,
>     August
>
>     --
>     August Detlefsen
>     CEO/Web Application Architect
>     CodeMagi, Inc.
>     http://www.codemagi.com
>
>     _______________________________________________
>     Owasp-antisamy mailing list
>     Owasp-antisamy at lists.owasp.org <mailto:Owasp-antisamy at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>

-- 
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.
http://www.codemagi.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100222/1af82823/attachment.html 


More information about the Owasp-antisamy mailing list