commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chtom...@apache.org
Subject [text] TEXT-52: Javadoc for XSS on escapeEcmaScript
Date Mon, 02 Jan 2017 15:02:20 GMT
Repository: commons-text
Updated Branches:
  refs/heads/master ba4e4932f -> e1d091c90


TEXT-52: Javadoc for XSS on escapeEcmaScript


Project: http://git-wip-us.apache.org/repos/asf/commons-text/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-text/commit/e1d091c9
Tree: http://git-wip-us.apache.org/repos/asf/commons-text/tree/e1d091c9
Diff: http://git-wip-us.apache.org/repos/asf/commons-text/diff/e1d091c9

Branch: refs/heads/master
Commit: e1d091c90917e9317c2c021298c9bfa94b64b469
Parents: ba4e493
Author: Rob Tompkins <chtompki@gmail.com>
Authored: Mon Jan 2 10:02:13 2017 -0500
Committer: Rob Tompkins <chtompki@gmail.com>
Committed: Mon Jan 2 10:02:13 2017 -0500

----------------------------------------------------------------------
 src/main/java/org/apache/commons/text/StringEscapeUtils.java | 8 ++++++++
 .../commons/text/translate/SingleLookupTranslator.java       | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-text/blob/e1d091c9/src/main/java/org/apache/commons/text/StringEscapeUtils.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/text/StringEscapeUtils.java b/src/main/java/org/apache/commons/text/StringEscapeUtils.java
index 69ec2a1..57eb92a 100644
--- a/src/main/java/org/apache/commons/text/StringEscapeUtils.java
+++ b/src/main/java/org/apache/commons/text/StringEscapeUtils.java
@@ -612,6 +612,14 @@ public class StringEscapeUtils {
      * output string: He didn\'t say, \"Stop!\"
      * </pre>
      *
+     * <b>Security Note.</b> We only provide backslash escaping in this method.
For example, {@code '\"'} has the output
+     * {@code '\\\"'} which could result in potential issues in the case where the string
being escaped is being used
+     * in an HTML tag like {@code <select onmouseover="..." />}. If you wish to have
more rigorous string escaping, you
+     * may consider the
+     * <a href="https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API_JAVA">ESAPI
Libraries</a>. Further,
+     * you can view the
+     * <a href="https://github.com/esapi">ESAPI GitHub Org</a>.
+     *
      * @param input  String to escape values in, may be null
      * @return String with escaped values, {@code null} if null string input
      */

http://git-wip-us.apache.org/repos/asf/commons-text/blob/e1d091c9/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java b/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java
index 0b9117e..e52daf8 100644
--- a/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java
+++ b/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java
@@ -33,7 +33,7 @@ public class SingleLookupTranslator extends CharSequenceTranslator {
      * lookup table passed to this instance while deciding whether a value is
      * already translated or not.
      *
-     * @param inputArrays
+     * @param inputArrays, an array of string arrays.
      */
     public SingleLookupTranslator(final String[][]... inputArrays) {
         String[][] lookup = new String[0][];


Mime
View raw message