Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 61D8B10A58 for ; Mon, 2 Dec 2013 09:13:49 +0000 (UTC) Received: (qmail 94345 invoked by uid 500); 2 Dec 2013 09:13:45 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 94090 invoked by uid 500); 2 Dec 2013 09:13:43 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 94018 invoked by uid 99); 2 Dec 2013 09:13:36 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2013 09:13:36 +0000 Date: Mon, 2 Dec 2013 09:13:36 +0000 (UTC) From: "Andy Reek (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (LANG-871) [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript? MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/LANG-871?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:all-tabpanel ] Andy Reek updated LANG-871: --------------------------- Description: org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScrip= t does the escape via a prefixed '\' on all characters which must be escape= d. I am not sure if this is really secure, if am looking at the comments on= https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Chea= t_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_= JavaScript_Data_Values. They say it is possible to do an attack by escape t= he escape. I tested this with the string '\"' and the output was '\\\"'. Is= this really ecma-/java-script secure? Or is it better to use the implement= ation used by OWASP? (was: org.apache.commons.lang3.StringEscapeUtils.esca= peEcmaScript does the escape via a prefixed '\' on all characters which mus= t be escaped. I am not sure if this is really secure, if am looking at the = comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prev= ention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted= _Data_into_JavaScript_Data_Values. They say it is possible to do an attack = by escape the escape. I tested this with the string '\"' and the output was= '\\\"'. Is this really ecma-/java-script secure? Or is it better to use th= e the implementation used by OWASP?) > [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript? > ------------------------------------------------------------------ > > Key: LANG-871 > URL: https://issues.apache.org/jira/browse/LANG-871 > Project: Commons Lang > Issue Type: Bug > Components: lang.* > Affects Versions: 3.1 > Reporter: Andy Reek > Labels: XSS > Fix For: Discussion > > > org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the esca= pe via a prefixed '\' on all characters which must be escaped. I am not sur= e if this is really secure, if am looking at the comments on https://www.ow= asp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.2= 33_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data= _Values. They say it is possible to do an attack by escape the escape. I te= sted this with the string '\"' and the output was '\\\"'. Is this really ec= ma-/java-script secure? Or is it better to use the implementation used by O= WASP? -- This message was sent by Atlassian JIRA (v6.1#6144)