You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Bruno P. Kinoshita (JIRA)" <ji...@apache.org> on 2017/02/10 20:17:41 UTC

[jira] [Commented] (TEXT-42) [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?

    [ https://issues.apache.org/jira/browse/TEXT-42?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861807#comment-15861807 ] 

Bruno P. Kinoshita commented on TEXT-42:
----------------------------------------

I agree on adding notes to the javadoc regarding security. Neutral on adding methods specifically for that. My concern would be on having to add multiple secureFoo methods for other things that may be explored for attacks in the future.

> [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
> ------------------------------------------------------------------
>
>                 Key: TEXT-42
>                 URL: https://issues.apache.org/jira/browse/TEXT-42
>             Project: Commons Text
>          Issue Type: Bug
>            Reporter: Andy Reek
>              Labels: XSS
>             Fix For: 1.x
>
>
> org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape via a prefixed '\' on all characters which must be escaped. I am not sure if this is really secure, if am looking at the comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values. They say it is possible to do an attack by escape the escape. I tested this with the string '\"' and the output was '\\\"'. Is this really ecma-/java-script secure? Or is it better to use the implementation used by OWASP?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)