Reputation: 51
How escaping is safe?
In the various answers in the SO, it is mentioned that you should escape ampersand, greater than and less than symbols. Even &ndash and &mdash should be escaped as far I understood.
Source: Do I really need to encode '&' as '&'?, check out the answers in there!
Can anyone show me how exactly security can be breached or cookie stealing can happen if I do not escape the symbols I have mentioned. It does not make sense to me the people can hack the websites because of this.
Upvotes: 0
Views: 99
Answers (1)
Reputation: 121609
If your question is "should I always use & (and never "&") - then yes.
If for no other reason than "good style".
Here's why:
HTML comes from SGML, and SGML/HTML have a notion of "entities", which are delimited in SGML text by "&" .. ";".
The ampersand character & is must be defined as an entity, to differentiate it from the start of an entity. So must HTML brackets < and > (< and > respectively). And so on.
Other HTML entities are simply defined for "convenience", such as © or €.
Here is a complete list of W3C-conforming, HTML5 entities:
PS:
As torazaburo noted above, "this is not fundamentally a security issue". It's merely the way HTML works ;)
Upvotes: 0
Related Questions
- What does 'HTML is escaping' mean?
- Escape tags in HTML
- Do I need to escape string if I use .html() in jQuery?
- HTML escape chars
- Understanding HTML string escaping in javascript
- Escape HTML and Javascript tags
- HTML escaping in a form
- escaping html markup
- Am I not escaping this JavaScript HTML correctly?
- Minimum requirements for escaping HTML output