commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell (JIRA)" <>
Subject [jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39;
Date Sat, 19 Dec 2009 21:21:18 GMT


Henri Yandell commented on LANG-572:

I don't think this is something the escapeHtml method should be trying to fix. It has a clear
responsibility, and XSS is not within it (unless HTML 5 changes this). 

It's easy in 3.0 for the developer to escape ' symbols by adding another translator. Possibly
we could add an escapeHtmlAndApos method. 

Or maybe chaining escapeEcmaScript to escapeHTML would work. Both options are within the realm
of responsibility of the developer.

> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 
> ------------------------------------------------------------------
>                 Key: LANG-572
>                 URL:
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
> If developers putting untrusted data into attribute values using the single quote character
' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|] is not truly fixed
from this aspect (XSS).

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message