[jira] [Commented] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

AD_LB (Jira)

    [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639334#comment-13639334 ]

Sebb commented on LANG-572:

AIUI the lang3 method only encodes characters for which there is a corresponding entity in that version of HTML (3 or 4 currently supported). There is no such HTML entitiy for single quote. Note that ' is an XML entity, not HTML.

It is not the function of this method to sanitise input.
In general, different contexts need different solutions.

> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All
>            Reporter: Keisuke Kato
>            Priority: Minor
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira