commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keisuke Kato (JIRA)" <j...@apache.org>
Subject [jira] Created: (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39;
Date Sat, 19 Dec 2009 15:01:18 GMT
[XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 
------------------------------------------------------------------

                 Key: LANG-572
                 URL: https://issues.apache.org/jira/browse/LANG-572
             Project: Commons Lang
          Issue Type: Improvement
          Components: lang.*
    Affects Versions: 2.4
         Environment: Operating System: All
Platform: All 
            Reporter: Keisuke Kato


If developers putting untrusted data into attribute values using the single quote character
' and StringEscapeUtils.escapeHtml() like:

<input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>

Then, the attacker is able to break out of the HTML attribute context like:

hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*

<input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>

I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from
this aspect (XSS).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message