You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Keisuke Kato (JIRA)" <ji...@apache.org> on 2009/12/19 16:01:18 UTC
[jira] Created: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
[XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
------------------------------------------------------------------
Key: LANG-572
URL: https://issues.apache.org/jira/browse/LANG-572
Project: Commons Lang
Issue Type: Improvement
Components: lang.*
Affects Versions: 2.4
Environment: Operating System: All
Platform: All
Reporter: Keisuke Kato
If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
<input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
Then, the attacker is able to break out of the HTML attribute context like:
hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
<input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793079#action_12793079 ]
Henri Yandell commented on LANG-572:
------------------------------------
Sebb - agreed on there possibly being a feature here.
Note - Lang 3.0 does not escape above 0x7f for HTML. The developer has to add that if they want that feature.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Keisuke Kato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keisuke Kato updated LANG-572:
------------------------------
Priority: Minor (was: Major)
Description:
If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
<input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
Then, the attacker is able to break out of the HTML attribute context like:
hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
<input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
was:
If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
<input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
Then, the attacker is able to break out of the HTML attribute context like:
hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
<input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
> Original Estimate: 0.08h
> Remaining Estimate: 0.08h
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12792906#action_12792906 ]
Henri Yandell commented on LANG-572:
------------------------------------
I don't think this is something the escapeHtml method should be trying to fix. It has a clear responsibility, and XSS is not within it (unless HTML 5 changes this).
It's easy in 3.0 for the developer to escape ' symbols by adding another translator. Possibly we could add an escapeHtmlAndApos method.
Or maybe chaining escapeEcmaScript to escapeHTML would work. Both options are within the realm of responsibility of the developer.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793026#action_12793026 ]
Sebb commented on LANG-572:
---------------------------
Agree that it is out of scope for escapeHtml.
What's being requested here is a means of sanitising input data, which not at all the same.
For example, there is no need to change "&" or ">" in order to make the input safe.
Indeed, that may have unwanted side effects.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must
escape ' chars to '
Posted by "Keisuke Kato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keisuke Kato closed LANG-572.
-----------------------------
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12792907#action_12792907 ]
Henri Yandell commented on LANG-572:
------------------------------------
Even in 2.4 this could easily be:
<input type='text' name='input' value='<%=StringEscapeUtils.escapeHtml(request.getParameter("input")).replaceAll("'", "\\'")%>'>
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Keisuke Kato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keisuke Kato resolved LANG-572.
-------------------------------
Resolution: Not A Problem
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell updated LANG-572:
-------------------------------
Remaining Estimate: (was: 0.08h)
Original Estimate: (was: 0.08h)
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (LANG-572) [XSS]
StringEscapeUtils.escapeHtml() must escape ' chars to '
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793026#action_12793026 ]
Sebb edited comment on LANG-572 at 12/20/09 7:54 PM:
-----------------------------------------------------
Agree that it is out of scope for escapeHtml.
What's being requested here is a means of sanitising input data, which is not at all the same.
For example, there is no need to change "&" or ">" in order to make the input safe.
Indeed, that may have unwanted side effects.
was (Author: sebb@apache.org):
Agree that it is out of scope for escapeHtml.
What's being requested here is a means of sanitising input data, which not at all the same.
For example, there is no need to change "&" or ">" in order to make the input safe.
Indeed, that may have unwanted side effects.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-572) [XSS] StringEscapeUtils.escapeHtml()
must escape ' chars to '
Posted by "Keisuke Kato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793072#action_12793072 ]
Keisuke Kato commented on LANG-572:
-----------------------------------
I see. No surprise there. Thank you for the advice. For your reference, I attached OWASP [ESAPI|http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API].
I'm still not quite convinced about c > 0x7F ([UTF-8|http://ja.wikipedia.org/wiki/Unicode%E4%B8%80%E8%A6%A7_0000-0FFF]).
{code:title=Apache Commons Lang (2.4) Entities.java|borderStyle=solid}
//public void escape(Writer writer, String str)
if (entityName == null) {
if (c > 0x7F) {
writer.write("&#");
writer.write(Integer.toString(c, 10));
writer.write(';');
} else {
writer.write(c);
}
} else {
writer.write('&');
writer.write(entityName);
writer.write(';');
}
{code}
{code:title=ESAPI (1.4) DefaultEncoder.java|borderStyle=solid}
//public String encodeForHTML(String input)
if ( c == '\t' || c == '\n' || c == '\r' ) {
sb.append( c );
} else if ( c <= 0x1f || ( c >= 0x7f && c <= 0x9f ) ) {
logger.warning( Logger.SECURITY, false, "Attempt to HTML entity encode illegal character: " + (int)c + " (skipping)" );
sb.append( ' ' );
} else {
sb.append( encode( c, htmlCodec, CHAR_ALPHANUMERICS, IMMUNE_HTML ) );
}
{code}
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.