Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9D81717FB9 for ; Sat, 25 Oct 2014 02:49:35 +0000 (UTC) Received: (qmail 77776 invoked by uid 500); 25 Oct 2014 02:49:35 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 77683 invoked by uid 500); 25 Oct 2014 02:49:35 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 77667 invoked by uid 99); 25 Oct 2014 02:49:35 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 25 Oct 2014 02:49:35 +0000 Date: Sat, 25 Oct 2014 02:49:35 +0000 (UTC) From: "Bruno P. Kinoshita (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (LANG-1042) StringEscapeUtils.escapeHtml() does not escape single quote MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/LANG-1042?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D14183= 879#comment-14183879 ]=20 Bruno P. Kinoshita commented on LANG-1042: ------------------------------------------ > Duncan: Have a good think about the current functionality, then document = it better so that people truly understand what it does and in which context= s it is useful (if any). +1=20 > Robert: what about deprecating this method and introducing a new one =E2= =80=93 secureHtmlEscape =E2=80=93 that escapes <, >, ', ", and &? +0 I think adding a secureHtmlEscape method could fix this issue, but I'm not = sure if that wouldn't mean that we could have further variations or methods= for XML, HTML or other formats. > StringEscapeUtils.escapeHtml() does not escape single quote > ----------------------------------------------------------- > > Key: LANG-1042 > URL: https://issues.apache.org/jira/browse/LANG-1042 > Project: Commons Lang > Issue Type: Bug > Reporter: Robert Sussland > Priority: Critical > > The String Escape Utils should ensure that encoded data cannot escape fro= m a string. However in HTML (starting with 1.0 and until the present), attr= ibute values may be denoted by either single or double quotes. Therefore si= ngle quotes need to be escaped just as much as double quotes.=20 > From the standard: http://www.w3.org/TR/html4/intro/sgmltut.html#h-3.2.2 > {quote} > By default, SGML requires that all attribute values be delimited using ei= ther double quotation marks (ASCII decimal 34) or single quotation marks (A= SCII decimal 39). Single quote marks can be included within the attribute v= alue when the value is delimited by double quote marks, and vice versa. Aut= hors may also use numeric character references to represent double quotes (= &#34\;) and single quotes (&#39\;). For double quotes authors can a= lso use the character entity reference &quot;. > {quote} > Note that there have been several bugs in the wild in which string encode= rs use this library under the hood, and as a result fail to properly escape= html attributes in which user input is stored: >
'>Howdy
> if user_data =3D ' onclick=3D'payload' '=20 > then an attacker can inject their code into the page even if the develope= r is using the string escape utils to escape the user string. -- This message was sent by Atlassian JIRA (v6.3.4#6332)