Escape text #379

Closed
Krinkle opened this Issue Dec 20, 2012 · 0 comments

1 participant

@Krinkle
jQuery Foundation member

There's a whole bunch of places where we build html strings by hand and don't escape test names or module names.

@Krinkle Krinkle was assigned Dec 20, 2012
@Krinkle Krinkle added a commit that closed this issue Dec 20, 2012
@Krinkle Krinkle Escape text. Fixes #379.
* Rename escapeInnerText to escapeText and include singe quotes
  and double quotes.
* Consistent use of `bool="bool"` instead of `bool`.
* Add regression tests for unescaped names in module, test and
  assertion.
* Escape everything that does not explicitly support HTML
  (even urlConfig.id for example).
  In DOM methods text is default and HTML needs parsing. But when
  writing HTML it is the opposite: text needs escaping and html
  is default. So for security we need to reverse that and ensure
  we're escaping stuff by default.
* Rename Test..name to Test..nameHtml (because it is).
476fb66
@Krinkle Krinkle closed this in 476fb66 Dec 20, 2012
@pandanoir pandanoir referenced this issue Jan 22, 2013
Closed

html entities #386

@JamesMGreene JamesMGreene added a commit that referenced this issue Mar 7, 2013
@Krinkle Krinkle Escape text. Fixes #379.
* Rename escapeInnerText to escapeText and include singe quotes
  and double quotes.
* Consistent use of `bool="bool"` instead of `bool`.
* Add regression tests for unescaped names in module, test and
  assertion.
* Escape everything that does not explicitly support HTML
  (even urlConfig.id for example).
  In DOM methods text is default and HTML needs parsing. But when
  writing HTML it is the opposite: text needs escaping and html
  is default. So for security we need to reverse that and ensure
  we're escaping stuff by default.
* Rename Test..name to Test..nameHtml (because it is).
3b9457b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment