commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Tompkins (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TEXT-42) [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
Date Sat, 11 Feb 2017 15:31:41 GMT

    [ https://issues.apache.org/jira/browse/TEXT-42?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862424#comment-15862424
] 

Rob Tompkins commented on TEXT-42:
----------------------------------

I'm fairly neutral on new methods. I doubt adding something named "secureFoo" would ever be
reasonable because it's the virtue of the name seems to indicate that it's entirely secure.
Whereas, that seems difficult to achieve because security is determined by the usage context.

Sebb's point:

bq. I guess the question is: would using hex-encoding for all but alphanumeric characters
break any scripts?

seems reasonable, maybe we could implement such a method named something like "escapeEcmaWithHexEncodingsScript"
after some exploration has been done to resolve that question.

> [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
> ------------------------------------------------------------------
>
>                 Key: TEXT-42
>                 URL: https://issues.apache.org/jira/browse/TEXT-42
>             Project: Commons Text
>          Issue Type: Bug
>            Reporter: Andy Reek
>              Labels: XSS
>             Fix For: 1.x
>
>
> org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape via a prefixed
'\' on all characters which must be escaped. I am not sure if this is really secure, if am
looking at the comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values.
They say it is possible to do an attack by escape the escape. I tested this with the string
'\"' and the output was '\\\"'. Is this really ecma-/java-script secure? Or is it better to
use the implementation used by OWASP?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message