commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jukefox (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39;
Date Wed, 24 Apr 2013 12:05:15 GMT

    [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13640304#comment-13640304
] 

jukefox edited comment on LANG-572 at 4/24/13 12:04 PM:
--------------------------------------------------------

OK. Heretical question: Could you tell me what is the method useful for when it is not safe
to be used for escaping signs within arbitrary HTML content?
I know of the way of doing it on my own but maybe there are further characters as well that
need to be escaped when being used e.g. within a value of an attribute.

By the way: ESAPI ({{org.owasp.esapi.reference.DefaultEncoder.encodeForHTML(String)}}) and
Spring ({{org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(String)}}) both escape that
character as well. I am convinced that Apache Commons Lang should behave the same way. Please
reconsider your decision not to encode that and maybe other missing characters.

Thanks.

                
      was (Author: jukefox):
    OK. Heretical question: Could you tell me what is the method useful for when it is not
safe to be used for escaping signs within arbitrary HTML content?
Is it ESAPI you would suggest as an alternate implementation that would meet the requirement?
I know of the way of doing it on my own but maybe there are further characters as well that
need to be escaped when being used e.g. within a value of an attribute.

Thanks.

                  
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character
' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed
from this aspect (XSS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message