Skip to content

There are two contradictory statements in the documentation related to HTML and HTML attribute encoding #35597

New issue
New issue
Closed
#35680
Closed
There are two contradictory statements in the documentation related to HTML and HTML attribute encoding#35597
#35680
Assignees
tdykstra
Labels
Source - Docs.msDocs Customer feedback via GitHub Issueaspnet-core/svcseQUESTeredIdentifies that an issue has been imported into Quest.security/subsvc
@sivaji55

Description

@sivaji55
sivaji55
opened on Jun 9, 2025

Description

Statement 1: Before putting untrusted data into an HTML attribute, ensure it's HTML encoded. HTML attribute encoding is a subset of HTML encoding and encodes double quote ("), single quote ('), ampersand (&), and less-than (<) characters.

Statement 2: As HTML attribute encoding is a superset of HTML encoding this means you don't have to concern yourself with whether you should use HTML encoding or HTML attribute encoding.

the above two statements are contradictory to each other and leads to confusion.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cross-site-scripting.md

Document ID

94f92690-9791-a4eb-9256-30a497afccd1

Platform Id

1ed40e20-b4f9-c091-0aed-326b84eaf165

Article author

@tdykstra

Metadata

  • ID: 33c64844-bd39-46c9-8b52-192834fa625a
  • PlatformId: 1ed40e20-b4f9-c091-0aed-326b84eaf165
  • Service: aspnet-core
  • Sub-service: security

Related Issues

Associated WorkItem - 445201

Metadata

Metadata

Assignees

Labels

Source - Docs.msDocs Customer feedback via GitHub Issueaspnet-core/svcseQUESTeredIdentifies that an issue has been imported into Quest.security/subsvc

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions