Skip to content

fix: escape localName, prefix, tag names, doctypes, and XML processing instructions#23

Closed
dgp1130 wants to merge 1 commit intoangular:mainfrom
dgp1130:escaping
Closed

fix: escape localName, prefix, tag names, doctypes, and XML processing instructions#23
dgp1130 wants to merge 1 commit intoangular:mainfrom
dgp1130:escaping

Conversation

@dgp1130
Copy link

@dgp1130 dgp1130 commented Mar 12, 2026

HTML escaping this content ensures unsanitized user input doesn't lead to XSS vulnerabilities in the final rendered output.

@securityMB @AndrewKushnir

@dgp1130 dgp1130 added the bug Something isn't working label Mar 12, 2026
@dgp1130 dgp1130 removed the request for review from AndrewKushnir March 12, 2026 01:26
@alan-agius4
Copy link

alan-agius4 commented Mar 12, 2026

NB: Once the fix is merged, we need to sync domino manually in g3.

@dgp1130
fix: escape localName, prefix, tag names, doctypes, and XML proce…
f5735ca 
…ssing instructions

HTML escaping this content ensures unsanitized user input doesn't lead to XSS vulnerabilities in the final rendered output.
@dgp1130 dgp1130 mentioned this pull request Mar 12, 2026
Merged
@dgp1130
Copy link
Author

dgp1130 commented Mar 13, 2026

Closing in favor of #26.

@dgp1130 dgp1130 closed this Mar 13, 2026
@dgp1130 dgp1130 deleted the escaping branch March 13, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dgp1130 @alan-agius4 @AndrewKushnir