commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duncan Jones (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
Date Wed, 14 Nov 2012 16:30:13 GMT

    [ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13497200#comment-13497200
] 

Duncan Jones commented on LANG-757:
-----------------------------------

As a quick test, I confirmed that Firefox 16.0.2 would render a "{{&copy}}" as a full-fledged
copyright symbol without the closing semicolon. Now that is far from conclusive proof that
we need to care about entities other than the long utf-8 and hex-encoded variety, but it is
interesting nonetheless.

I was also surprised that {{&ltfoo&gt}} rendered as {{<foo>}} in Firefox, despite
the lack of spaces between the "entities".

The question we must answer is: are we only concerned with entities that could be involved
in XSS attacks? If so, I must confess I don't know enough about that subject area to be sure
what characters are considered dangerous. If not, then my simple example above shows that
short entities may also be accepted with a missing semicolon.
                
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>
>                 Key: LANG-757
>                 URL: https://issues.apache.org/jira/browse/LANG-757
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
>
>
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting
Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt;
(remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many
browsers will allow variations without semicolons, particularly the long UTF-8 encoding like
&#0000060.  Please see: http://ha.ckers.org/xss.html
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the
method could allow better backward compatibility.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message