HTML extensions to String.prototype should escape double quotes (") in argument values - by MathiasBynens

Status : 

  By Design<br /><br />
		The product team believes this item works according to its intended design.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

ID 752391 Comments
Status Closed Workarounds
Type Bug Repros 4
Opened 7/5/2012 4:12:30 AM
Access Restriction Public


Expected result:

> '_'.link('a"b')
"<a href="a&amp;quot;b">_</a>"

(Currently, IE returns the tagnames in uppercase, which is a separate issue — see

The problem here is IE doesn’t escape " into &amp;quot; at the moment, which is a potential security risk (XSS vector).

For this reason, Chrome escapes " into &amp;quot;. Firefox is going to change its behavior to do the same: Update: they just landed this change in Firefox/Spidermonkey (August 4th, 2012).

Opera will change its behavior too, if other browsers change (see bug DSK-369206). requires escaping the ".

Here’s a list of the methods that have this issue:

* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)
Sign in to post a comment.
Posted by Microsoft on 7/17/2013 at 10:20 AM
Thank you for your feedback.

The issue you are reporting is by design.

Best regards,

The Internet Explorer Team
Posted by MathiasBynens on 8/31/2012 at 2:40 AM
The ES6 editor’s draft now requires escaping " into ". See A new public ES6 draft should be out soon.
Posted by MathiasBynens on 8/9/2012 at 1:47 AM
FWIW, Mozilla just landed this change:

So both Chrome/V8 and Firefox/Spidermonkey have the “safe” behavior now. Please consider matching this behavior in IE.
Posted by Microsoft on 7/5/2012 at 12:47 PM
Thank you for your feedback.

We were able to reproduce the issue and are investigating it.

Best regards,

The Internet Explorer Team