commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duncan Jones (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Wed, 14 Nov 2012 16:16:12 GMT

    [ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491494#comment-13491494
] 

Duncan Jones edited comment on LANG-757 at 11/14/12 4:14 PM:
-------------------------------------------------------------

{quote}
The method EntityArrays.semiColonOptional unconditionally strips the last character from the
second element.

If this is intentional, it should be clearly documented.
{quote}

It was intentional, but indeed should have been documented. Do you
think its worth performing a check on the string prior to stripping or
is a well-documented assumption sufficient?

bq. Also, the method is public, yet it is only needed locally - it should be made private.

Urgh, that's embarrassing. Yes, there was no intention to publish that
method outside the class.

{quote}
Is it really necessary to detect "&lt" ?
My reading of the referenced docs suggests that only Long UTF-8 entities and hex encoded entities
are recognised without ";".
{quote}

Not sure on this one. If you can cite documents that state it is
either unnecessary (or plain wrong), then I guess the method should be
altered. (I didn't find the OWASP document particular easy to
comprehend, so perhaps I missed that fact).

                
      was (Author: dmjones500):
    
It was intentional, but indeed should have been documented. Do you
think its worth performing a check on the string prior to stripping or
is a well-documented assumption sufficient?



Urgh, that's embarrassing. Yes, there was no intention to publish that
method outside the class.



Not sure on this one. If you can cite documents that state it is
either unnecessary (or plain wrong), then I guess the method should be
altered. (I didn't find the OWASP document particular easy to
comprehend, so perhaps I missed that fact).

Duncan

                  
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>
>                 Key: LANG-757
>                 URL: https://issues.apache.org/jira/browse/LANG-757
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
>
>
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see: http://ha.ckers.org/xss.html
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the
method could allow better backward compatibility.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message