You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Yasser Zamani <ya...@live.com> on 2017/02/25 08:38:04 UTC
[lang] Question with the StringEscapeUtils.(un)escapeEcmaScript
Hi there,
I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes
`JavaUnicodeEscaper`? is it it's business really? the problem is when we
use it to prevent script injection by user, it also replaces user
input's unicodes with "\u"s which is not deducted with
`escapeEcmaScript' term.
Another thing is, it replaces e.g. '<' with '<' (html/xml escape) but
replace unicode with '\u....' rather than '&#'?
And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
`OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
Thanks in advance!
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus