Matt Austin created MYFACES-4238:

             Summary: Single quote not properly encoded in 
                 Key: MYFACES-4238
             Project: MyFaces Core
          Issue Type: Bug
          Components: General
    Affects Versions: 2.3.1
            Reporter: Matt Austin

Single quotes can be used to enclose HTML attributes: 
<img src='userInput' />{code}
However only double quotes are encoded. 

As OWASP describes single quotes should also be encoded as &#x27;

See the following example: 


import org.apache.myfaces.shared.renderkit.html.util.*;

public class FaceTest {
  private static StringWriter userInput;

  public static void main(String[] args) throws IOException {
      userInput = new StringWriter(40);
      HTMLEncoder.encode(userInput, "x onerror='alert(1);'//");
      System.out.println("<img src='"+ userInput.toString() +"' />");


This message was sent by Atlassian JIRA

Reply via email to