commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duncan Jones (JIRA)" <>
Subject [jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Sat, 22 Sep 2012 21:03:07 GMT


Duncan Jones updated LANG-757:

    Attachment: commons-lang3-LANG-757.patch

Attached is a patch that adds overloaded unescapeHtml3 and unescapeHtml4 methods, which accept
a boolean parameter to indicate if semicolons are optional (plus tests).
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>                 Key: LANG-757
>                 URL:
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see:
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the
method could allow better backward compatibility.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message