Why Nette does not escape “<” and “>” characters inside attributes?

4 years ago

jkl
Member | 4
+
0
-

Hi,
why Nette does not escape “<” and “>” characters inside attributes?

It may be allowed in HTML 5, but in XHTML/XML it's invalid.

4 years ago

Aurielle
Member | 1283
+
0
-

Try turning on Nette\Utils\Html::$xhtml or changing the template content type, Latte should escape correctly for XML then.

Turn on XHTML mode in config.neon: https://doc.nette.org/…/configuring#…

Last edited by Aurielle (2015-07-25 01:38)

4 years ago

David Grudl
Nette Core | 6886
+
0
-

It is valid in XML.

4 years ago

jkl
Member | 4
+
+2
-

David Grudl wrote:

It is valid in XML.

Really?

Try to open this xml in browser:

<?xml version="1.0" encoding="UTF-8"?>
<test>
    <val value="<">test</val>
</test>

You'll get this error:

This page contains the following errors:
error on line 3 at column 13: Unescaped '<' not allowed in attributes values

4 years ago

David Grudl
Nette Core | 6886
+
0
-

You're right, < is not allowed.