[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

["Henri Yandell (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12792906#action_12792906 ] 

Henri Yandell commented on LANG-572:
------------------------------------

I don't think this is something the escapeHtml method should be trying to fix. It has a clear responsibility, and XSS is not within it (unless HTML 5 changes this). 

It's easy in 3.0 for the developer to escape ' symbols by adding another translator. Possibly we could add an escapeHtmlAndApos method. 

Or maybe chaining escapeEcmaScript to escapeHTML would work. Both options are within the realm of responsibility of the developer.

> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to ' 
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.