I wonder if the character & is safe to be output to a browser. In case '<' '>' '\'' '\"' '=' are all encoded,
is there a possibility to get damaged by an attack if '&'isn't encoded?
Asked
Active
Viewed 734 times
-1
-
1See http://stackoverflow.com/questions/9124134/cross-site-scripting-xss-do-i-need-to-escape-the-ampersand and the comments – Armand Grillet May 21 '15 at 12:20
-
@ArmandGrillet, thanks. That's what i asked. I searched previously, but as i didn't look for "ampersand" I couldn't find it. – Th3B0Y May 21 '15 at 12:24
1 Answers
2
It is not safe, you should escape it. You can see an example of exploiting XSS using & here: http://erlend.oftedal.no/blog/?blogid=124
Fernando Garcia
- 1,946
- 2
- 12
- 14