[
https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12792906#action_12792906
]
Henri Yandell commented on LANG-572:
------------------------------------
I don't think this is something the escapeHtml method should be trying to fix.
It has a clear responsibility, and XSS is not within it (unless HTML 5 changes
this).
It's easy in 3.0 for the developer to escape ' symbols by adding another
translator. Possibly we could add an escapeHtmlAndApos method.
Or maybe chaining escapeEcmaScript to escapeHTML would work. Both options are
within the realm of responsibility of the developer.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single
> quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input'
> value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input'
> value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not
> truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
