In the spirit of #55, shouldn't attribute names and values also be properly escaped to prevent XSS attacks?
It seems the fix could be as simple as using HtmlEscapers.htmlEscaper().escape(...) in addAttribute().
Similar to the existing TestEscapeText, a test for this could look something like:
public class TestEscapeForAttributes {
@Test
public void testEscapeForAttributeValues() {
var expected = """
<!DOCTYPE html>
<html>
\t<head>
\t\t<meta name="foo" content=""><script>alert('1')</script>">
\t</head>
\t<body bar=""><script>alert('1')</script>">
\t</body>
</html>""";
var view = HtmlFlow.<String>view(page -> page
.html()
.head()
.<String>dynamic((head, text) -> head
.meta()
.attrName("foo").attrContent(text)
.__()
)
.__()
.body()
.<String>dynamic((body, text) -> body
.addAttr("bar", text)
)
.__()
.__()
);
var html = view.render("\"><script>alert('1')</script>");
assertEquals(expected, html);
}
@Test
public void testEscapeForAttributeNames() {
// similarly for attribute names
}
}
In the spirit of #55, shouldn't attribute names and values also be properly escaped to prevent XSS attacks?
It seems the fix could be as simple as using
HtmlEscapers.htmlEscaper().escape(...)in addAttribute().Similar to the existing
TestEscapeText, a test for this could look something like: