[jira] [Commented] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon

Wed, 14 Nov 2012 08:30:15 -0800 

    [ 
https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13497200#comment-13497200
 ] 

Duncan Jones commented on LANG-757:
-----------------------------------

As a quick test, I confirmed that Firefox 16.0.2 would render a "{{&copy}}" as 
a full-fledged copyright symbol without the closing semicolon. Now that is far 
from conclusive proof that we need to care about entities other than the long 
utf-8 and hex-encoded variety, but it is interesting nonetheless.

I was also surprised that {{&ltfoo&gt}} rendered as {{<foo>}} in Firefox, 
despite the lack of spaces between the "entities".

The question we must answer is: are we only concerned with entities that could 
be involved in XSS attacks? If so, I must confess I don't know enough about 
that subject area to be sure what characters are considered dangerous. If not, 
then my simple example above shows that short entities may also be accepted 
with a missing semicolon.
                
> StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
> ---------------------------------------------------------------------
>
>                 Key: LANG-757
>                 URL: https://issues.apache.org/jira/browse/LANG-757
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.x
>            Reporter: Steve Hale
>            Priority: Minor
>         Attachments: commons-lang3-LANG-757.patch
>
>
> org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting 
> and correcting Cross-Site Scripting (XSS) attempts by converting escaped 
> chars like &# 60; or & lt; (remove spaces) into normal chars like < so 
> patterns like HTML tags can be detected.  Many browsers will allow variations 
> without semicolons, particularly the long UTF-8 encoding like &#0000060.  
> Please see: http://ha.ckers.org/xss.html
> Since this may not be standard HTML, maybe adding a boolean bLenient 
> parameter to the method could allow better backward compatibility.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to