[
https://issues.apache.org/jira/browse/MYFACES-4238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687845#comment-16687845
]
Thomas Andraschko commented on MYFACES-4238:
--------------------------------------------
[~mattaustin] ping ;)
> Single quote not properly encoded in renderkit.html.util.HTMLEncoder
> --------------------------------------------------------------------
>
> Key: MYFACES-4238
> URL: https://issues.apache.org/jira/browse/MYFACES-4238
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.3.1
> Reporter: Matt Austin
> Priority: Major
> Fix For: 2.3.3, 3.0.0-SNAPSHOT
>
>
> Single quotes can be used to enclose HTML attributes:
> {code:java}
> <img src='userInput' />{code}
> However only double quotes are encoded.
> As OWASP describes single quotes should also be encoded as '
>
> [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content]
> See the following example:
> {code:java}
> import org.apache.myfaces.shared.renderkit.html.util.*;
> import java.io.IOException;
> import java.io.StringWriter;
> public class FaceTest {
> private static StringWriter userInput;
> public static void main(String[] args) throws IOException {
> userInput = new StringWriter(40);
> HTMLEncoder.encode(userInput, "x' onerror='alert(1);'//");
> System.out.println("<img src='"+ userInput.toString() +"' />");
> }
> }{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
