commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duncan Jones (JIRA)" <>
Subject [jira] [Commented] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Tue, 06 Nov 2012 14:58:13 GMT


Duncan Jones commented on LANG-757:

It was intentional, but indeed should have been documented. Do you
think its worth performing a check on the string prior to stripping or
is a well-documented assumption sufficient?

Urgh, that's embarrassing. Yes, there was no intention to publish that
method outside the class.

Not sure on this one. If you can cite documents that state it is
either unnecessary (or plain wrong), then I guess the method should be
altered. (I didn't find the OWASP document particular easy to
comprehend, so perhaps I missed that fact).


> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>                 Key: LANG-757
>                 URL:
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see:
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the
method could allow better backward compatibility.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message