-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.2.10 EE GA1, 7.0.1 CE GA2
-
Fix Version/s: 7.0.0 DXP FP1, 7.0.2 CE GA3, 7.0.0 DXP SP1, 7.0.3 CE GA4, Master
-
Component/s: Documentation
-
Branch Version/s:7.0.x
-
Backported to Branch:Committed
-
Story Points:1
-
Git Pull Request:
Make it clear that escapeAttribue can only be used if it's used with a quoted attribute. That is:
<div title="<%= HtmlUtil.escapeAttribute(untrustedValue) %>">
is ok. However,
<div title=<%= HtmlUtil.escapeAttribute(untrustedValue) %>>
is not ok.