commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno P. Kinoshita (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TEXT-42) [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
Date Fri, 10 Feb 2017 20:17:41 GMT

    [ https://issues.apache.org/jira/browse/TEXT-42?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861807#comment-15861807
] 

Bruno P. Kinoshita commented on TEXT-42:
----------------------------------------

I agree on adding notes to the javadoc regarding security. Neutral on adding methods specifically
for that. My concern would be on having to add multiple secureFoo methods for other things
that may be explored for attacks in the future.

> [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
> ------------------------------------------------------------------
>
>                 Key: TEXT-42
>                 URL: https://issues.apache.org/jira/browse/TEXT-42
>             Project: Commons Text
>          Issue Type: Bug
>            Reporter: Andy Reek
>              Labels: XSS
>             Fix For: 1.x
>
>
> org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape via a prefixed
'\' on all characters which must be escaped. I am not sure if this is really secure, if am
looking at the comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values.
They say it is possible to do an attack by escape the escape. I tested this with the string
'\"' and the output was '\\\"'. Is this really ecma-/java-script secure? Or is it better to
use the implementation used by OWASP?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message