[
https://issues.apache.org/jira/browse/LANG-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645417#comment-13645417
]
jukefox commented on LANG-572:
------------------------------
OK. Then if you plan to modify / add the requested escape functionality for
HTML it should be done for the other formats in an analogous manner so that it
is possible to embed arbitrary textual content within certain formatted data
(HTML, JavaScript, CSV etc.) without interpretation.
I don't think that there are many people out there that are aware of the
current behaviour of these methods and don't expect the same as I do.
> [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '
> ------------------------------------------------------------------
>
> Key: LANG-572
> URL: https://issues.apache.org/jira/browse/LANG-572
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Affects Versions: 2.4
> Environment: Operating System: All
> Platform: All
> Reporter: Keisuke Kato
> Priority: Minor
>
> If developers putting untrusted data into attribute values using the single
> quote character ' and StringEscapeUtils.escapeHtml() like:
> <input type='text' name='input'
> value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*>
> Then, the attacker is able to break out of the HTML attribute context like:
> hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='*
> <input type='text' name='input'
> value='*'onfocus='alert(document.cookie);'id='*'>
> I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not
> truly fixed from this aspect (XSS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
