commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Hale (JIRA)" <j...@apache.org>
Subject [jira] [Created] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Fri, 23 Sep 2011 15:20:26 GMT
StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
---------------------------------------------------------------------

                 Key: LANG-757
                 URL: https://issues.apache.org/jira/browse/LANG-757
             Project: Commons Lang
          Issue Type: Improvement
          Components: lang.*
    Affects Versions: 2.x
            Reporter: Steve Hale
            Priority: Minor


org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see: http://ha.ckers.org/xss.html

Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method
could allow better backward compatibility.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message