[jira] [Reopened] (LANG-572) [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

[Henri Yandell (JIRA)]

     [ 
https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Henri Yandell reopened LANG-572:
--------------------------------


Good question, definitely no heresy :)

I know my original intent 10+ years ago in my codebase was to use it to escape 
trusted arbitrary content. A known database being outputted as HTML (or XML or 
the other formats it's grown to cover). I don't recall if the Lang one descends 
from my original code or if it came from some of the code that was in Commons 
Util back then. 

I'm pretty sure my early code escaped the entities to numerics rather than the 
ISO terms, then the big lookup table was added to make the output more pleasing.

So today what it's useful for is being an entity converter, with the addition 
that it also escapes the basic four characters of XML. Perhaps the API should 
change to not be escapeHtml but instead drop the XML characters and be 
convertToISOEntities. Or perhaps it should focus on the Security aspects (reuse 
parts of OSAPI?). The former might not be very useful codewise, while the 
latter takes Lang further from general utilities and into kitchen sink. I'd 
rather the OSAPI folk were declaring the line on security around HTML :)

Reopening this to ensure discussion continues.
                
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to ' 
> ------------------------------------------------------------------
>
>                 Key: LANG-572
>                 URL: https://issues.apache.org/jira/browse/LANG-572
>             Project: Commons Lang
>          Issue Type: Improvement
>          Components: lang.*
>    Affects Versions: 2.4
>         Environment: Operating System: All
> Platform: All 
>            Reporter: Keisuke Kato
>            Priority: Minor
>
> If developers putting untrusted data into attribute values using the single 
> quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input' 
> value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input' 
> value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not 
> truly fixed from this aspect (XSS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira