Giters

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Home Page:https://owasp.org/www-project-java-encoder/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Confusing example in Encode.forHtmlAttribute docs

meeque opened this issue · comments

commented

Currently the Encode.forHtmlAttribute JavaDocs contain this JSP example:

<div><%=Encode.forHtmlAttribute(unsafeData)%></div>

I guess this may be secure, but imho it does not reflect the intention of this method. How about using an example that involves html attributes? Maybe something like this:

<div title="<%=Encode.forHtmlAttribute(unsafeData)%>">...</div>
<div title='<%=Encode.forHtmlAttribute(unsafeData)%>'>...</div>

Imho the JavaDocs should also mention that the caller of this method must add quotes around the outputs of this method.

If you think any of this is helpful, I can prepare a PR.

commented

I agree. That's a Javadoc bug. I thought that quotes were mentioned as being required somewhere in the Encode Javadoc, but I could be wrong about that.

I'd say PR away, but that's not really my call.

commented

Well, I've proposed PR #72 to fix this. Feel free to provide feedback...