Confusing example in Encode.forHtmlAttribute docs

Question

Confusing example in Encode.forHtmlAttribute docs

meeque opened this issue 7 months ago · 3 comments

Currently the Encode.forHtmlAttribute JavaDocs contain this JSP example:

<div><%=Encode.forHtmlAttribute(unsafeData)%></div>

I guess this may be secure, but imho it does not reflect the intention of this method. How about using an example that involves html attributes? Maybe something like this:

<div title="<%=Encode.forHtmlAttribute(unsafeData)%>">...</div>
<div title='<%=Encode.forHtmlAttribute(unsafeData)%>'>...</div>

Imho the JavaDocs should also mention that the caller of this method must add quotes around the outputs of this method.

If you think any of this is helpful, I can prepare a PR.

Answer 1 · 2024-04-17T23:06:59.000Z

I agree. That's a Javadoc bug. I thought that quotes were mentioned as being required somewhere in the Encode Javadoc, but I could be wrong about that.

I'd say PR away, but that's not really my call.

Answer 2 · 2024-04-18T22:55:58.000Z

Well, I've proposed PR #72 to fix this. Feel free to provide feedback...

Answer 3 · 2024-07-26T10:56:02.000Z

PR has been merged. Thanks again for the PR!