From cd2dbfe45354beff050034f532efb0d79f40d52c Mon Sep 17 00:00:00 2001
From: kwwall Please make sure to read and understand the context that the method encodes
* for. Encoding for the incorrect context will likely lead to exposing a
- * cross-site scripting vulnerability.
This method encodes for HTML text content. It does not escape * quotation characters and is thus unsafe for use with - * HTML attributes. Use either forHtml or forHtmlAttribute for those + * HTML attributes. Use either {@link #forHtml(String)} or {@link #forHtmlAttribute(String)} for those * methods.
* * Example JSP Usage @@ -232,7 +237,9 @@ public static void forHtmlContent(Writer out, String input) } /** - *This method encodes for HTML text attributes.
+ *This method encodes for HTML text attributes. Do not use for JavaScript event attributes or for attributes + * that are interpreted as a URL. Instead use {@link #forJavaScript(String)} and {@link #forUriComponent(String)} + * respectively for those.
* * Example JSP Usage *@@ -472,15 +479,13 @@ public static void forHtmlUnquotedAttribute(Writer out, String input) * Encoding Notes *
The following characters are not encoded:
** U+20: - . 0 1 2 3 4 5 6 7 8 9 - * U+40: @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z _ + * U+40: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z _ * U+60: a b c d e f g h i j k l m n o p q r s t u v w x y z ~ ** @@ -704,7 +709,7 @@ public static void forCssUrl(Writer out, String input) *