id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23502	Request for an escape_all filter for non alphanumeric chars with ASCII values less than 256	djbug	nobody	"If you want to put untrusted data in attributes, [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes OWASP recommends] escaping a lot more characters than what's needed for escaping untrusted data in HTML elements:


> Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and |.

The recommendation for Javascript escaping is somewhat similar, except for using ` \xHH` format instead of `&#xHH;`. This would be a useful addition to security related utilities.

P.S. Another reference : http://wonko.com/post/html-escaping
"	New feature	closed	Utilities	1.7	Normal	wontfix			Unreviewed	0	0	0	0	0	0