You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Robert Sussland (JIRA)" <ji...@apache.org> on 2014/10/08 04:35:33 UTC
[jira] [Comment Edited] (LANG-1042) StringEscapeUtils.escapeHtml()
does not escape single quote
[ https://issues.apache.org/jira/browse/LANG-1042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14162966#comment-14162966 ]
Robert Sussland edited comment on LANG-1042 at 10/8/14 2:34 AM:
----------------------------------------------------------------
Sorry for not being clear. Generally the escaping is done on user data that is quoted in the template -- you wouldn't escape the entire template. A simple example, without a template, would be
{code:title=Bar.java|borderStyle=solid}
public class Sample {
public static void main(String[] args) {
String taint = '\' onclick=\'payload\' ';
//now we should be able to safely assign to an html attribute
String escaped = StringEscapeUtils.escapeHtml3(taint);
String generatedHtml = '<div title=\' ' + escaped + '\'>Howdy</div>';
System.out.println(s); //'<div title=' ' onclick='alert(1)' ''>Howdy</div> is unsafe for html rendering
}
}
{code}
was (Author: rsussland):
Sorry for not being clear. Generally the escaping is done on user data that is quoted in the template -- you wouldn't escape the entire template. A simple example, without a template, would be
public class Sample {
public static void main(String[] args) {
String taint = '\' onclick=\'payload\' ';
//now we should be able to safely assign to an html attribute
String escaped = StringEscapeUtils.escapeHtml3(taint);
String generatedHtml = '<div title=\' ' + escaped + '\'>Howdy</div>';
System.out.println(s); //'<div title=' ' onclick='alert(1)' ''>Howdy</div> is unsafe for html rendering
}
}
> StringEscapeUtils.escapeHtml() does not escape single quote
> -----------------------------------------------------------
>
> Key: LANG-1042
> URL: https://issues.apache.org/jira/browse/LANG-1042
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Robert Sussland
> Priority: Critical
>
> The String Escape Utils should ensure that encoded data cannot escape from a string. However in HTML (starting with 1.0 and until the present), attribute values may be denoted by either single or double quotes. Therefore single quotes need to be escaped just as much as double quotes.
> From the standard:
> http://www.w3.org/TR/html4/intro/sgmltut.html#h-3.2.2:
> "
> By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa. Authors may also use numeric character references to represent double quotes (") and single quotes ('). For double quotes authors can also use the character entity reference ".
> "
> Note that there have been several bugs in the wild in which string encoders use this library under the hood, and as a result fail to properly escape html attributes in which user input is stored:
> <div title='<%=user_data%>'>Howdy</div>
> if user_data = ' onclick='payload' '
> then an attacker can inject their code into the page even if the developer is using the string escape utils to escape the user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)