[lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Yasser Zamani
Hi there,

I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes
`JavaUnicodeEscaper`? is it it's business really? the problem is when we
use it to prevent script injection by user, it also replaces user
input's unicodes with "\u"s which is not deducted with
`escapeEcmaScript' term.

Another thing is, it replaces e.g. '<' with '&lt;' (html/xml escape) but
replace unicode with '\u....' rather than '&#'?

And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
`OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?

Thanks in advance!

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Yasser Zamani
Hi there,

I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes
`JavaUnicodeEscaper`? is it it's business really? the problem is when we
use it to prevent script injection by user, it also replaces user
input's unicodes with "\u"s which is not deducted with
`escapeEcmaScript' term.

Another thing is, it replaces e.g. '<' with '&lt;' (html/xml escape) but
replace unicode with '\u....' rather than '&#'?

And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
`OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?

Thanks in advance!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Benedikt Ritter-4
Hello Yasser,

Sorry for the late reply! I have been on vacation and needed some time to go through all the mails that have piled up :-)

> Am 27.02.2017 um 15:38 schrieb Yasser Zamani <[hidden email]>:
>
> Hi there,
>
> I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes
> `JavaUnicodeEscaper`? is it it's business really? the problem is when we
> use it to prevent script injection by user, it also replaces user
> input's unicodes with "\u"s which is not deducted with
> `escapeEcmaScript' term.

StringEscapeUtils contains general String escaping routines. It does not focus on business related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the characters in a String using EcmaScript String rules.
Can you please provide a failing test case showing the problem you see?

>
> Another thing is, it replaces e.g. '<' with '&lt;' (html/xml escape) but
> replace unicode with '\u....' rather than '&#‘?

I fail to understand the problem here. The following test is green:

@Test
public void testEscape() throws Exception {
    assertEquals("< >", StringEscapeUtils.escapeEcmaScript("< >"));
}

So „<" and „>“ are not escaped by escapeEcmaScript..

>
> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?

Again it is because it just escapes according to EcmaScript escaping rules.

Hope that helps!
Regards,
Benedikt

>
> Thanks in advance!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Yasser Zamani


On 3/8/2017 12:21 PM, Benedikt Ritter wrote:
> Hello Yasser,
>
> Sorry for the late reply! I have been on vacation and needed some time to go through all the mails that have piled up :-)
Hello Benedikt , thank you very much for your answer
>
> StringEscapeUtils contains general String escaping routines. It does not focus on business related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the characters in a String using EcmaScript String rules.
> Can you please provide a failing test case showing the problem you see?
>
Yes, you're right. I mis-used the method. it is for escaping an ecma
string that can be used inside an another ecma string but I wrongly used
that  for escape from script injection!
> So „<" and „>“ are not escaped by escapeEcmaScript..
My failure :(
>>
>> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
>> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
>
> Again it is because it just escapes according to EcmaScript escaping rules.
It's some weird , you mean escaping ecma script does not need escaping
octal, but un-escaping ecma script does need also un-escaping octal?
i.e. inverse of escaping is not equal to unescaping and vice versa.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Yasser Zamani
In reply to this post by Benedikt Ritter-4


On 3/8/2017 12:21 PM, Benedikt Ritter wrote:
> Hello Yasser,
>
> Sorry for the late reply! I have been on vacation and needed some time to go through all the mails that have piled up :-)
Hello Benedikt , thank you very much for your answer
>
> StringEscapeUtils contains general String escaping routines. It does not focus on business related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the characters in a String using EcmaScript String rules.
> Can you please provide a failing test case showing the problem you see?
>
Yes, you're right. I mis-used the method. it is for escaping an ecma
string that can be used inside an another ecma string but I wrongly used
that  for escape from script injection!
> So „<" and „>“ are not escaped by escapeEcmaScript..
My failure :(
>>
>> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
>> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
>
> Again it is because it just escapes according to EcmaScript escaping rules.
It's some weird , you mean escaping ecma script does not need escaping
octal, but un-escaping ecma script does need also un-escaping octal?
i.e. inverse of escaping is not equal to unescaping and vice versa.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

Benedikt Ritter-4
Hello,

> Am 11.03.2017 um 13:08 schrieb Yasser Zamani <[hidden email]>:
>
>
>
> On 3/8/2017 12:21 PM, Benedikt Ritter wrote:
>> Hello Yasser,
>>
>> Sorry for the late reply! I have been on vacation and needed some time to go through all the mails that have piled up :-)
> Hello Benedikt , thank you very much for your answer
>>
>> StringEscapeUtils contains general String escaping routines. It does not focus on business related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the characters in a String using EcmaScript String rules.
>> Can you please provide a failing test case showing the problem you see?
>>
> Yes, you're right. I mis-used the method. it is for escaping an ecma
> string that can be used inside an another ecma string but I wrongly used
> that  for escape from script injection!
>> So „<" and „>“ are not escaped by escapeEcmaScript..
> My failure :(
>>>
>>> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
>>> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
>>
>> Again it is because it just escapes according to EcmaScript escaping rules.
> It's some weird , you mean escaping ecma script does not need escaping
> octal, but un-escaping ecma script does need also un-escaping octal?
> i.e. inverse of escaping is not equal to unescaping and vice versa.

To be honest, I don’t know :o) I’ve added Rob to the thread, because he has done quite some work in Commons Text and may know why this makes sense…

Regards,
Benedikt

>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript

sebb-2-2
On 12 March 2017 at 10:43, Benedikt Ritter <[hidden email]> wrote:

> Hello,
>
>> Am 11.03.2017 um 13:08 schrieb Yasser Zamani <[hidden email]>:
>>
>>
>>
>> On 3/8/2017 12:21 PM, Benedikt Ritter wrote:
>>> Hello Yasser,
>>>
>>> Sorry for the late reply! I have been on vacation and needed some time to go through all the mails that have piled up :-)
>> Hello Benedikt , thank you very much for your answer
>>>
>>> StringEscapeUtils contains general String escaping routines. It does not focus on business related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the characters in a String using EcmaScript String rules.
>>> Can you please provide a failing test case showing the problem you see?
>>>
>> Yes, you're right. I mis-used the method. it is for escaping an ecma
>> string that can be used inside an another ecma string but I wrongly used
>> that  for escape from script injection!
>>> So „<" and „>“ are not escaped by escapeEcmaScript..
>> My failure :(
>>>>
>>>> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
>>>> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
>>>
>>> Again it is because it just escapes according to EcmaScript escaping rules.
>> It's some weird , you mean escaping ecma script does not need escaping
>> octal, but un-escaping ecma script does need also un-escaping octal?
>> i.e. inverse of escaping is not equal to unescaping and vice versa.
>
> To be honest, I don’t know :o) I’ve added Rob to the thread, because he has done quite some work in Commons Text and may know why this makes sense…

OctalUnescaper is for UNESCAPE translators only.
There is no OctalEscaper.
Nor would it make sense to escape input as octal.

The other reason is that one should be strict in what one generates,
but liberal in what one accepts.

None of the types need Octal escaping, but if octal escapes are found
on input, I assume they need to be unescaped.

> Regards,
> Benedikt
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...