-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(sbom): disable html escaping for CycloneDX #5764
refactor(sbom): disable html escaping for CycloneDX #5764
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm worried that disabling HTML escape has any side effects. For example, the description may have special characters.
by default Do you think this is not enough? |
So, why does CycloneDX apply HTML-escaping by default? Meaningless for us? |
CycloneDX doesn't apply HTML escaping. The Package URL format is based on URL syntax/escaping not HTML syntax/escaping, so any use of additional HTML escaping after the URL was generated makes it invalid and not conform to the specification. |
I didn't find info why we need to escape html characters. I checked CycloneDX examples and component descriptions contain non-escaped characters - https://github.com/CycloneDX/bom-examples/blob/7d529848e2f8bd65d03aec9eab16f139fd445ff4/SBOM/juice-shop/via_npm/flat/bom.1.4.json#L50746 I asked about this in slack channel - https://cycledx.slack.com/archives/C01PZRT73K9/p1702444970519159. |
Looks like we can merge this PR - https://cyclonedx.slack.com/archives/C01PZRT73K9/p1702549347993479?thread_ts=1702526083.019229&cid=C01PZRT73K9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for confirming!
Description
Disable HTML escaping for CycloneDX.
Purl has already escaped all the necessary characters:
https://github.com/package-url/packageurl-go/blob/fe183c1943ec36f257fae7143e160978217104b6/packageurl.go#L369-L394
Related issues
Checklist