CsQuery ASP.NET web forms - MINOR ISSUE - some attribute values NOT html encoded

Before:

Using CsQuery with ASP.NET web forms:

The ampersand near the end of the src value is not HTML encoded.

Note the script element is automatically added by ASP.NET web forms and is in the body (just after default form and viewstate) NOT the head.

Many thanks.

Aug 03 '13 21:08 CJCannon

So is CsQuery rendering the quoted ampersand as just an ampersand? Will check it out - this seems like one of those things that probably browsers don't care about but is technically incorrect and should be fixed.

Aug 05 '13 18:08 jamietre

The ampsersand is NOT being html encoded, it should be & not just &. All attribute values of html elements should be html encoded. It's a minor thing but it helps in client-side debugging if all little errors like this are eliminated.

Aug 05 '13 21:08 CJCannon

@jamietre This might not seem important but not encoding HTML entities in attributes can lead to XSS. While it does not seem critical to users like me who do scraping - to users like you who use CsQuery in MVC to render code clients receive it seems like a pretty important fix.

Aug 06 '13 12:08 benjamingr

Point taken. The spec describes quoting rules what I had implemented before: http://dev.w3.org/html5/spec-LC/syntax.html#attributes-0

I have tentatively implemented it to use attribute encoding per MS HtmlAttributeEncode whenever the double-quoting rule criteria are met, unless the only character requiring quoting is a double-quote, in which case I use a single-quote as the quoting character.

If you know of a definitive reference for when attribute encoding must be used let me know.

Aug 06 '13 13:08 jamietre

CsQuery CsQuery copied to clipboard

ASP.NET web forms - MINOR ISSUE - some attribute values NOT html encoded

CsQuery
CsQuery copied to clipboard