-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
P3
-
Affects Version/s: 9
-
Component/s: tools
-
None
For JDK 9, see any <module>-frame.html file.
Look at the following extract:
<h1 title="Java SE 10 &amp; JDK 10 DRAFT 10-internal+0-adhoc.jjg.jdk10.closed" class="bar"><div style="margin-top: 9px;"><strong>Java SE 10 & JDK 10</strong> <br><strong>DRAFT 10-internal+0-adhoc.jjg.jdk10.closed</strong></div></h1>
Notice the &amp; in the value of the title attribute. Either the title string should be required to be a "plain text" string, and checked to be such, or else it should permit HTML and not be further escaped.
Also note that <div> inside <h1> is illegal, so if we're going to allow HTML, we should ensure it is restricted to flow content.
Look at the following extract:
<h1 title="Java SE 10 &amp; JDK 10 DRAFT 10-internal+0-adhoc.jjg.jdk10.closed" class="bar"><div style="margin-top: 9px;"><strong>Java SE 10 & JDK 10</strong> <br><strong>DRAFT 10-internal+0-adhoc.jjg.jdk10.closed</strong></div></h1>
Notice the &amp; in the value of the title attribute. Either the title string should be required to be a "plain text" string, and checked to be such, or else it should permit HTML and not be further escaped.
Also note that <div> inside <h1> is illegal, so if we're going to allow HTML, we should ensure it is restricted to flow content.
- relates to
-
-
- Resolved
-
-
-
- Closed
-