[ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Duncan Jones updated LANG-757: ------------------------------ Attachment: commons-lang3-LANG-757.patch New patch reverts public method to private and adds comment explaining the simplistic removal of the semicolon. > StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon > --------------------------------------------------------------------- > > Key: LANG-757 > URL: https://issues.apache.org/jira/browse/LANG-757 > Project: Commons Lang > Issue Type: Improvement > Components: lang.* > Affects Versions: 2.x > Reporter: Steve Hale > Priority: Minor > Attachments: commons-lang3-LANG-757.patch > > > org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting > and correcting Cross-Site Scripting (XSS) attempts by converting escaped > chars like &# 60; or & lt; (remove spaces) into normal chars like < so > patterns like HTML tags can be detected. Many browsers will allow variations > without semicolons, particularly the long UTF-8 encoding like <. > Please see: http://ha.ckers.org/xss.html > Since this may not be standard HTML, maybe adding a boolean bLenient > parameter to the method could allow better backward compatibility. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira