-
Notifications
You must be signed in to change notification settings - Fork 4
Open
Labels
Description
For an example see
inyoka/tests/apps/markup/test_html_renderer.py
Lines 252 to 256 in 48cf8d5
| html = render('[[Anchor(NA">ME)]]') | |
| self.assertHTMLEqual( | |
| html, | |
| """<a class="crosslink anchor" href='#NA">ME' id='NA">ME'>⚓︎</a>""" | |
| ) |
For JS/CSS if we we want to access them, it is needed to escape it
document.querySelectorAll('#' + CSS.escape('NA">ME'))
This can be at least non-obvious.
(As far as i see it, no HTML can be injected though)
If not all characters should be allowed in the future, the question is, if existing links get broken?
Reactions are currently unavailable