HTML extensions to String.prototype should escape double quotes (") in argument values - by MathiasBynens

Status : 

  By Design<br /><br />
		The product team believes this item works according to its intended design.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


ID 752391 Comments
Status Closed Workarounds
Type Bug Repros 4
Opened 7/5/2012 4:12:30 AM
Access Restriction Public

Description

Expected result:

> '_'.link('a"b')
"<a href="a&amp;quot;b">_</a>"

(Currently, IE returns the tagnames in uppercase, which is a separate issue — see https://connect.microsoft.com/IE/feedback/details/752283.)

The problem here is IE doesn’t escape " into &amp;quot; at the moment, which is a potential security risk (XSS vector).

For this reason, Chrome escapes " into &amp;quot;. Firefox is going to change its behavior to do the same: https://bugzilla.mozilla.org/show_bug.cgi?id=352437 Update: they just landed this change in Firefox/Spidermonkey (August 4th, 2012).

Opera will change its behavior too, if other browsers change (see bug DSK-369206).

http://mathias.html5.org/specs/javascript/#escapeattributevalue requires escaping the ".

Here’s a list of the methods that have this issue:

* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)
* String.prototype.link(href)
Sign in to post a comment.
Posted by Microsoft on 7/17/2013 at 10:20 AM
Thank you for your feedback.

The issue you are reporting is by design.

Best regards,

The Internet Explorer Team
Posted by MathiasBynens on 8/31/2012 at 2:40 AM
The ES6 editor’s draft now requires escaping " into ". See https://bugs.ecmascript.org/show_bug.cgi?id=406#c7. A new public ES6 draft should be out soon.
Posted by MathiasBynens on 8/9/2012 at 1:47 AM
FWIW, Mozilla just landed this change: https://bugzilla.mozilla.org/show_bug.cgi?id=352437#c16

So both Chrome/V8 and Firefox/Spidermonkey have the “safe” behavior now. Please consider matching this behavior in IE.
Posted by Microsoft on 7/5/2012 at 12:47 PM
Thank you for your feedback.

We were able to reproduce the issue and are investigating it.

Best regards,

The Internet Explorer Team