You need to escape =. Otherwise if someone does something like: document.write("... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		extrapickles on Sept 2, 2017 \| parent \| context \| favorite \| on: The Grave Accent and XSS You need to escape =. Otherwise if someone does something like: document.write("<a class=" + str + " href='foo'>xss</a>"); The attacker can set str to "foo onclick=alert(1)".

TazeTSchnitzel on Sept 2, 2017 | [–]

You can't safely put arbitrary user input in an unquoted attribute value.

jwilk on Sept 2, 2017 | [–]

You should put quotes around the attribute value.

Then you won't need to escape =.

extrapickles on Sept 3, 2017 | [–]

The issue is when a developer forgets to do so. No reason to not escape it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact