Pebble Autoescape doesn't work when using in tag atribute

Open cdxf opened this issue 5 years ago • 1 comments

For example, when using it in title atributte:

<div title="{{ title }}">content</div>

For example, it won't escapse if title = foo\"><script src="//xss.mx"><\/script><x=\

Jun 22 '20 15:06 cdxf

Strange. It works for me. <div title="foo\"><script src="//xss.mx"><\/script><x=\">content</div>

Jan 19 '21 19:01 ogrammer