-
-
Notifications
You must be signed in to change notification settings - Fork 16.5k
Docs: Fix escaping in HTML escaping example #5742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: stable
Are you sure you want to change the base?
Conversation
@davidism, I realized that for docs changes I should've made the PR from the |
I wonder if there's a way to demonstrate the issue using the existing url, rather than changing to the |
I agree. Since the emphasis on escaping is to prevent the execution of scripts, I went ahead with using |
@davidism, is there anything else I need to do to have the PR reviewed? |
The code in the Quickstart's HTML Escaping section does not render
name=<script>alert("bad")</script>
to text because the slash in </script> gets interpreted as a trailing slash, leading to a 404.Getting the name as a query parameter instead allows: