commit | c92db391379cc19738de8bb5008ed619cb049ebe | [log] [tgz] |
---|---|---|
author | Nick Kralevich <nnk@google.com> | Fri Jul 27 13:22:20 2012 -0700 |
committer | Nick Kralevich <nnk@google.com> | Fri Jul 27 13:27:00 2012 -0700 |
tree | 7bf9e332c1f8dd733ebb89029ad61c195488a616 | |
parent | 527d14dc3c2fd72f1cdfaaa7e249456778fe93e4 [diff] |
ClipData: html attribute values should always be escaped Failure to properly escape HTML attribute values can lead to XSS attacks. Technically, HTML of the form <a href="http://www.google.com/search?x=a&y=b">blah</a> is malformed (but widely accepted). Such links should be written as <a href="http://www.google.com/search?x=a&y=b">blah</a> See: http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2 Change-Id: I188ded00b4cac44acb38884d4728c4cf9500f3b6