You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Thomas Andraschko (JIRA)" <de...@myfaces.apache.org> on 2019/03/15 19:24:00 UTC

[jira] [Comment Edited] (MYFACES-4238) Single quote not properly encoded in renderkit.html.util.HTMLEncoder

    [ https://issues.apache.org/jira/browse/MYFACES-4238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16793885#comment-16793885 ] 

Thomas Andraschko edited comment on MYFACES-4238 at 3/15/19 7:23 PM:
---------------------------------------------------------------------

Please provide a sample xhtml + bean to reproduce your exact problem.
 I will close it for  now, we can reopen later if all infos are provided.


was (Author: tandraschko):
Please provide a sample to reproduce your exact problem.
I will close it for  now, we can reopen later if all infos are provided.

> Single quote not properly encoded in renderkit.html.util.HTMLEncoder
> --------------------------------------------------------------------
>
>                 Key: MYFACES-4238
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4238
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.3.1
>            Reporter: Matt Austin
>            Priority: Major
>
> Single quotes can be used to enclose HTML attributes: 
> {code:java}
> <img src='userInput' />{code}
> However only double quotes are encoded. 
> As OWASP describes single quotes should also be encoded as '
>  [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content]
> See the following example:
> {code:java}
> import org.apache.myfaces.shared.renderkit.html.util.*;
> import java.io.IOException;
> import java.io.StringWriter;
> public class FaceTest {
>   private static StringWriter userInput;
>   public static void main(String[] args) throws IOException {
>       userInput = new StringWriter(40);
>       HTMLEncoder.encode(userInput, "x' onerror='alert(1);'//");
>       System.out.println("<img src='"+ userInput.toString() +"' />");
>   }
> }{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)