You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2012/11/06 13:28:12 UTC

[jira] [Commented] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon

    [ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491411#comment-13491411 ] 

Sebb commented on LANG-757:
---------------------------

The method EntityArrays.semiColonOptional unconditionally strips the last character from the second element.

If this is intentional, it should be clearly documented.

Also, the method is public, yet it is only needed locally - it should be made private.

Is it really necessary to detect "&lt" ?
My reading of the referenced docs suggests that only Long UTF-8 entities and hex encoded entities are recognised without ";".
                
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>
>                 Key: LANG-757
>                 URL: https://issues.apache.org/jira/browse/LANG-757
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
>
>
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt; (remove spaces) into normal chars like < so patterns like HTML tags can be detected.  Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like &#0000060.  Please see: http://ha.ckers.org/xss.html
> Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira