commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duncan Jones (JIRA)" <>
Subject [jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Wed, 14 Nov 2012 16:42:13 GMT


Duncan Jones updated LANG-757:

    Attachment: commons-lang3-LANG-757.patch

New patch reverts public method to private and adds comment explaining the simplistic removal
of the semicolon.
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>                 Key: LANG-757
>                 URL:
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see:
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the
method could allow better backward compatibility.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message