[jira] [Commented] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

AD_LB (Jira)

    [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639334#comment-13639334 ]

Sebb commented on LANG-572:
---------------------------

AIUI the lang3 method only encodes characters for which there is a corresponding entity in that version of HTML (3 or 4 currently supported). There is no such HTML entitiy for single quote. Note that ' is an XML entity, not HTML.

It is not the function of this method to sanitise input.
In general, different contexts need different solutions.
               

> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira