Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decoded html entities in href #193

Closed
fr3akX opened this issue Feb 16, 2020 · 1 comment · Fixed by #201
Closed

decoded html entities in href #193

fr3akX opened this issue Feb 16, 2020 · 1 comment · Fixed by #201

Comments

@fr3akX
Copy link

fr3akX commented Feb 16, 2020

href attribute value has decoded html entities in output.

Example

        String input = "" +
                "<a href=\"/index.php?action=1&order_id=1\">order</a>";
        System.out.println(Sanitizers.LINKS.sanitize(input));

output

<a href="/index.php?action&#61;1ℴ_id&#61;1" rel="nofollow">order</a>

&order is decoded as , which renders invalid link
Inglebard referenced this issue in Zimbra/zm-zcs-lib Feb 17, 2020
@sneha-patil-synacor
ZBUG-1148:Loosing table format with owasp sanitizer
be4b870
@yangbongsoo yangbongsoo mentioned this issue May 20, 2020
Closed
@yangbongsoo
Copy link
Contributor

@fr3akX Hello. I think - and _ char may be treated in plain letters. What do you think?

mikesamuel added a commit that referenced this issue Jun 2, 2020
@mikesamuel
Use html.standard rules for when a semicolon is optional after &name
a8dcc03 
Fixed #193: &order in link broken
@mikesamuel mikesamuel mentioned this issue Jun 2, 2020
Merged
mikesamuel added a commit that referenced this issue Jun 13, 2020
@mikesamuel
Use html.standard rules for when a semicolon is optional after &name (
0eb359c 
#201)

Use html.standard rules for when a semicolon is optional after `&name`

Fixed #193: &order in link broken
@aakritisi aakritisi mentioned this issue Dec 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use html.standard rules for when a semicolon is optional after &name OWASP/java-html-sanitizer
2 participants
@fr3akX @yangbongsoo