[
https://issues.apache.org/jira/browse/LANG-871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13594302#comment-13594302
]
Henri Yandell commented on LANG-871:
------------------------------------
Something to determine is whether the escapeFoo methods are for the purposes of
security or not. The original intent was that it allowed you to escape field
values without breaking the document it was going into, not to handle security
threats.
> [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
> ------------------------------------------------------------------
>
> Key: LANG-871
> URL: https://issues.apache.org/jira/browse/LANG-871
> Project: Commons Lang
> Issue Type: Bug
> Components: lang.*
> Affects Versions: 3.1
> Reporter: Andy Reek
> Labels: XSS
>
> org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape
> via a prefixed '\' on all characters which must be escaped. I am not sure if
> this is really secure, if am looking at the comments on
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values.
> They say it is possible to do an attack by escape the escape. I tested this
> with the string '\"' and the output was '\\\"'. Is this really
> ecma-/java-script secure? Or is it better to use the the implementation used
> by OWASP?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
