On Mon, Apr 3, 2017 at 8:31 AM, Alexandre Russel <
alex...@russel.fr> wrote:
> Hi,
>
> I've created an Attribute Policy that modify the src of the image tag. It
> is working as expected, but the sanitize code, instead of just putting the
> value as src in the html, is encoding it. This makes the value usuable. Why
How is HTML-encoding a URL a problem?
https://jsbin.com/hudekejuyo/edit?html,output shows that HTML encoding
of URLs in HTML attributes leads to equivalent URLs as seen by the
browser.
> would we want attribute to be html encoded ?
We would want attributes to be HTML encoded for correctness.
If you have the URL
http://example.com?a=b©=1
then you should HTML escape it thus
http://example.com?a=b&copy=1
Most browsers are smart enough to realize that © in a URL
attribute is not a copyright symbol the way it is everywhere else, but
don't rely on that for program correctness.
> How can I avoid this ? I really
> hope that there is another way than pre-decoding the value so that the
> encoded value would be as expected.
What do you mean pre-decoding? A concrete example would be helpful.