You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Rob Spoor (JIRA)" <ji...@apache.org> on 2019/03/06 15:00:00 UTC
[jira] [Created] (TEXT-154) StringEscapeUtils.escapeEcmaScript does
not escape
Rob Spoor created TEXT-154:
------------------------------
Summary: StringEscapeUtils.escapeEcmaScript does not escape </script>
Key: TEXT-154
URL: https://issues.apache.org/jira/browse/TEXT-154
Project: Commons Text
Issue Type: Bug
Affects Versions: 1.6
Reporter: Rob Spoor
According to [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md,] just above RULE #3.1, HTML parsing occurs before JavaScript parsing. That means that any </script> will be treated as a script end tag, even if used inside a JavaScript string. For instance, the following looks like a script end tag inside a string followed by some incorrect syntax:
{code}<script type="text/javascript">
var s = 'this is a string with a </script><script type="text/javascript">alert("Hi!"); var s = '. Is this still JavaScript?';
</script>
{code}
However, the browser shows the alert. That's because for the browser, these are actually two script tags:
# {code}<script type="text/javascript">
var s = 'this is a string with a </script>{code}
# {code}<script type="text/javascript">alert("Hi!"); var s = '. Is this still JavaScript?';
</script>{code}
This can actually be prevented very easily by escaping {{</script>}} to either {{\u003C/script>}} or {{\x3C/script}}. Both mean the same thing as {{</script>}} for JavaScript, but the HTML parser will leave it alone.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)