Return-Path: 
 <issues-return-34182-apmail-commons-issues-archive=commons.apache.org@commons.apache.org>
X-Original-To: apmail-commons-issues-archive@minotaur.apache.org
Delivered-To: apmail-commons-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 70EFFF9FD
	for <apmail-commons-issues-archive@minotaur.apache.org>;
 Tue, 23 Apr 2013 16:25:16 +0000 (UTC)
Received: (qmail 15198 invoked by uid 500); 23 Apr 2013 16:25:16 -0000
Delivered-To: apmail-commons-issues-archive@commons.apache.org
Received: (qmail 15133 invoked by uid 500); 23 Apr 2013 16:25:15 -0000
Mailing-List: contact issues-help@commons.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@commons.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@commons.apache.org>
List-Post: <mailto:issues@commons.apache.org>
List-Id: <issues.commons.apache.org>
Reply-To: issues@commons.apache.org
Delivered-To: mailing list issues@commons.apache.org
Received: (qmail 15122 invoked by uid 99); 23 Apr 2013 16:25:15 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Apr 2013 16:25:15 +0000
Date: Tue, 23 Apr 2013 16:25:15 +0000 (UTC)
From: "jukefox (JIRA)" <jira@apache.org>
To: issues@commons.apache.org
Message-ID: <JIRA.12443837.1261234831058.208692.1366734315638@arcas>
In-Reply-To: <JIRA.12443837.1261234831058@arcas>
References: <JIRA.12443837.1261234831058@arcas>
Subject: [jira] [Commented] (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
 must escape ' chars to &#39;
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639199#comment-13639199 ] 

jukefox commented on LANG-572:
------------------------------

Could you please describe why you conclude that the request is out of scope for {{escapeHtml}}?
I cannot find any explanation in this ticket.
>From my point of view it is essential to escape single quote characters not only because of possible XSS as described above but also to prevent syntactically illegal code when putting variable data as part of a value to an attribute when relying on {{escapeHtml}}.

Thanks.

                
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira