...
Code Block |
---|
|
<!-- not safe -->
<div>Hello ${displayName}, please don't hack our site</div>
<!--safe -->
<div>Hello ${displayName?html}, please don't hack our site</div> |
Note: When sanitizing strings that are placed inside of html tags, you must take the extra step of using the double quote character instead of a single quote:
Code Block |
---|
language | html/xml |
---|
title | Use double quotes when interpolating in attributes |
---|
|
<!-- sanitized,unsafe! butuntrusted stillstring hascan potentialinject toa producemalicious invalidevent htmlattribute -->
<div title='Informtation for ${username}'> ... </div>
<!-- use double-quoted attributes -->
<div title="Information for ${username}"> ... </div> |
...