owasp-java-encoder icon indicating copy to clipboard operation
owasp-java-encoder copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Confusing example in Encode.forHtmlAttribute docs

Open meeque opened this issue 1 year ago • 2 comments
trafficstars

Currently the Encode.forHtmlAttribute JavaDocs contain this JSP example:

<div><%=Encode.forHtmlAttribute(unsafeData)%></div>

I guess this may be secure, but imho it does not reflect the intention of this method. How about using an example that involves html attributes? Maybe something like this:

<div title="<%=Encode.forHtmlAttribute(unsafeData)%>">...</div>
<div title='<%=Encode.forHtmlAttribute(unsafeData)%>'>...</div>

Imho the JavaDocs should also mention that the caller of this method must add quotes around the outputs of this method.

If you think any of this is helpful, I can prepare a PR.

meeque avatar Apr 17 '24 23:04 meeque

I agree. That's a Javadoc bug. I thought that quotes were mentioned as being required somewhere in the Encode Javadoc, but I could be wrong about that.

I'd say PR away, but that's not really my call.

kwwall avatar Apr 17 '24 23:04 kwwall

Well, I've proposed PR #72 to fix this. Feel free to provide feedback...

meeque avatar Apr 18 '24 22:04 meeque

PR has been merged. Thanks again for the PR!

jeremylong avatar Jul 26 '24 10:07 jeremylong