Comments (1)
BobSimons
commented on June 3, 2024
It is the attributes of HTML and XML tags that must be strongly encoded, for security reasons. The code that does this is in com/cohort/util/XML.java in the method called encodeAsHTMLAttribute. The JavaDoc for that method explains:
* For security reasons, for text that will be used as an HTML or XML attribute,
* this replaces non-alphanumeric characters with HTML Entity &#xHHHH; format.
* See HTML Attribute Encoding at
* [https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf](https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf)
* pg 188, section 25.4
* "Encoding Type: HTML Attribute Encoding
* Encoding Mechanism:
* Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH;
* format, including spaces. (HH = Hex Value)".
* On the need to escape HTML attributes: [http://wonko.com/post/html-escaping](http://wonko.com/post/html-escaping)
Both of the links there are interesting reading.
One might argue that in some circumstances this strict encoding is not necessary. Perhaps. Perhaps not. The problem is that it is very time consuming (even if we assume the programmer has 100% understanding of the situation) and error prone to try to make that determination. It is vastly simpler and (more important) vastly safer to just routinely encode all attributes in the safe and recommended way.
from erddap.
Related Issues (20)
- Search Multiple ERDDAPs seems to be broken HOT 1
- Overly restrictive S3 limitations HOT 3
- Outer axis overlap between files HOT 1
- Using XInclude HOT 2
- Unicode attributes and localized metadata HOT 46
- Record requests in a structured format HOT 4
- Inaccurate varName in logs when printing for null value attribute HOT 11
- Error: 'Error { code=404; message="Not Found: Currently unknown HOT 1
- Wrong link in the iso19115.xml metadata extraction ! HOT 5
- Log all significant events in a standard format HOT 3
- Translation tooltip images have extra encoding in paths HOT 3
- Fixed Value sourceNames are not excluded from duplicate column name detection HOT 3
- Trouble with accent or other special characters - Export encoding format HOT 20
- Datatypes changed when using .nc download HOT 5
- Please show loadDatasets progress diagnostics HOT 1
- How to request a protected dataset from a script ? HOT 19
- S3 Support HOT 1
- Relative URLs HOT 11
- ERDDAP not sending emails when emailUserName is not an email address
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from erddap.