Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confusing example in Encode.forHtmlAttribute docs #71

Open
meeque opened this issue Apr 17, 2024 · 2 comments
Open

Confusing example in Encode.forHtmlAttribute docs #71

meeque opened this issue Apr 17, 2024 · 2 comments

Comments

@meeque
Copy link

meeque commented Apr 17, 2024

Currently the Encode.forHtmlAttribute JavaDocs contain this JSP example:

<div><%=Encode.forHtmlAttribute(unsafeData)%></div>

I guess this may be secure, but imho it does not reflect the intention of this method. How about using an example that involves html attributes? Maybe something like this:

<div title="<%=Encode.forHtmlAttribute(unsafeData)%>">...</div>
<div title='<%=Encode.forHtmlAttribute(unsafeData)%>'>...</div>

Imho the JavaDocs should also mention that the caller of this method must add quotes around the outputs of this method.

If you think any of this is helpful, I can prepare a PR.
@kwwall
Copy link
Contributor

kwwall commented Apr 17, 2024

I agree. That's a Javadoc bug. I thought that quotes were mentioned as being required somewhere in the Encode Javadoc, but I could be wrong about that.

I'd say PR away, but that's not really my call.

@meeque meeque mentioned this issue Apr 18, 2024
Open
@meeque
Copy link
Author

meeque commented Apr 18, 2024

Well, I've proposed PR #72 to fix this. Feel free to provide feedback...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@meeque @kwwall