« Bugzilla Issues Index

#463 — String.prototype HTML methods in Annex B should escape " as " in argument values for security reasons

Following the algorithms of these methods in the current ES6 draft:

> '_'.link('a"b')
'<a href="a"b">_</a>'

However, this would be a better result:

> '_'.link('a"b')
'<a href="a&quot;b">_</a>'

The problem here is " doesn’t escape into &quot; at the moment, which is a potential security risk (XSS vector).

For this reason, Chrome/V8 escapes " into &quot;. Firefox/Spidermonkey is going to change its behavior to do the same: Opera/Carakan will change its behavior too, as soon as other browsers change (bug DSK-369206). The IE bug is here: requires escaping the ".


Here’s a list of the methods that have this issue:

* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)

*** This bug has been marked as a duplicate of bug 406 ***