Re: XSSAPI.encodeForHTMLAttr() does not handle code injection

Hi Andy, Can you clarify which version of the XSS bundle you are using? I tried this in the 2.3.x XSS codebase. When I plug your string into the XSSAPIImplTest#dataForEncodeToHtmlAttr

XSSAPI.encodeForHTMLAttr() does not handle code injection

Hi When I use XSSAPI.encodeForHTMLAttr() with this value: /content/dam/test-folder/">.html The resulting html tag will be closed on the tag is injected. I would assume that a method like this will not allow the HTML Attribute to be closed let alone to close the tag altogether. Is there a way