You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Characters that should be escaped are not escaped when they occur in attribute values.
That is, a valid HTML5 document (e.g., per https://html5.validator.nu/) can be passed to PreMailer.Net and come out as an invalid HTML5 document.
I am using:
PreMailer.Net 1.4.2.0
CsQuery 1.3.3249 (also reproduces with CsQuery trunk)
I think this is a bug in CsQuery itself, but you should be aware in case you want to fix CsQuery or workaround this some way. Not sure, but suspect that because this affects escaping, this may be a security problem where undesired HTML can be injected.
Program:
using System;
namespace PreMailerTestApp
{
class Program
{
static void Main(string[] args)
{
string h = "<!DOCTYPE html><html><head><meta charset=\"UTF-8\"><title>test</title></head><body><a href=\"http://www.example.com?a=1&b=2\">Hello & World</a></body></html>";
Console.WriteLine("Valid per https://html5.validator.nu/:");
Console.WriteLine(h);
Console.WriteLine("Invalid per https://html5.validator.nu/:");
Console.WriteLine(PreMailer.Net.PreMailer.MoveCssInline(h).Html);
}
}
}
Output:
Valid per https://html5.validator.nu/:
<!DOCTYPE html><html><head><meta charset="UTF-8"><title>test</title></head><body><a href="http://www.example.com?a=1&b=2">Hello & World</a></body></html>
Invalid per https://html5.validator.nu/:
<!DOCTYPE html><html><head><meta charset="UTF-8"><title>test</title></head><body><a href="http://www.example.com?a=1&b=2">Hello & World</a></body></html>
Message from validator:
Error: & did not start a character reference. (& probably should have been escaped as &.)
At line 1, column 117
example.com?a=1&b=2">Hello &am
The text was updated successfully, but these errors were encountered:
Characters that should be escaped are not escaped when they occur in attribute values.
That is, a valid HTML5 document (e.g., per https://html5.validator.nu/) can be passed to PreMailer.Net and come out as an invalid HTML5 document.
I am using:
PreMailer.Net 1.4.2.0
CsQuery 1.3.3249 (also reproduces with CsQuery trunk)
I think this is a bug in CsQuery itself, but you should be aware in case you want to fix CsQuery or workaround this some way. Not sure, but suspect that because this affects escaping, this may be a security problem where undesired HTML can be injected.
Program:
Output:
Message from validator:
The text was updated successfully, but these errors were encountered: