You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Henri Yandell (JIRA)" <ji...@apache.org> on 2013/04/26 09:12:16 UTC

[jira] [Reopened] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

     [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Henri Yandell reopened LANG-572:
--------------------------------


Good question, definitely no heresy :)

I know my original intent 10+ years ago in my codebase was to use it to escape trusted arbitrary content. A known database being outputted as HTML (or XML or the other formats it's grown to cover). I don't recall if the Lang one descends from my original code or if it came from some of the code that was in Commons Util back then. 

I'm pretty sure my early code escaped the entities to numerics rather than the ISO terms, then the big lookup table was added to make the output more pleasing.

So today what it's useful for is being an entity converter, with the addition that it also escapes the basic four characters of XML. Perhaps the API should change to not be escapeHtml but instead drop the XML characters and be convertToISOEntities. Or perhaps it should focus on the Security aspects (reuse parts of OSAPI?). The former might not be very useful codewise, while the latter takes Lang further from general utilities and into kitchen sink. I'd rather the OSAPI folk were declaring the line on security around HTML :)

Reopening this to ensure discussion continues.
                
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to &#39; 
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira