commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keisuke Kato (JIRA)" <>
Subject [jira] Created: (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39;
Date Sat, 19 Dec 2009 15:01:18 GMT
[XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 

                 Key: LANG-572
             Project: Commons Lang
          Issue Type: Improvement
          Components: lang.*
    Affects Versions: 2.4
         Environment: Operating System: All
Platform: All 
            Reporter: Keisuke Kato

If developers putting untrusted data into attribute values using the single quote character
' and StringEscapeUtils.escapeHtml() like:

<input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>

Then, the attacker is able to break out of the HTML attribute context like:

hxxp://*' onfocus='alert(document.cookie);' id='*

<input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>

I think [LANG\-122|] is not truly fixed from
this aspect (XSS).

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message