[jira] [Closed] (TEXT-154) StringEscapeUtils.escapeEcmaScript does not escape

["Rob Spoor (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/TEXT-154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rob Spoor closed TEXT-154.
--------------------------
    Resolution: Not A Problem

I missed that the / is already escaped. That turns </script> into <\/script> which does not suffer the same problem.

> StringEscapeUtils.escapeEcmaScript does not escape </script>
> ------------------------------------------------------------
>
>                 Key: TEXT-154
>                 URL: https://issues.apache.org/jira/browse/TEXT-154
>             Project: Commons Text
>          Issue Type: Bug
>    Affects Versions: 1.6
>            Reporter: Rob Spoor
>            Priority: Critical
>
> According to [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md,] just above RULE #3.1, HTML parsing occurs before JavaScript parsing. That means that any </script> will be treated as a script end tag, even if used inside a JavaScript string. For instance, the following looks like a script end tag inside a string followed by some incorrect syntax:
> {code}<script type="text/javascript">
> var s = 'this is a string with a </script><script type="text/javascript">alert("Hi!"); var s = '. Is this still JavaScript?';
> </script>
> {code}
> However, the browser shows the alert. That's because for the browser, these are actually two script tags:
> # {code}<script type="text/javascript">
> var s = 'this is a string with a </script>{code}
> # {code}<script type="text/javascript">alert("Hi!"); var s = '. Is this still JavaScript?';
> </script>{code}
> This can actually be prevented very easily by escaping {{</script>}} to either {{\u003C/script>}} or {{\x3C/script}}. Both mean the same thing as {{</script>}} for JavaScript, but the HTML parser will leave it alone.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)