Robert Sussland created LANG-1042:
-------------------------------------
Summary: StringEscapeUtils.escapeHtml() does not escape single
quote
Key: LANG-1042
URL: https://issues.apache.org/jira/browse/LANG-1042
Project: Commons Lang
Issue Type: Bug
Reporter: Robert Sussland
Priority: Critical
The String Escape Utils should ensure that encoded data cannot escape from a
string. However in HTML (starting with 1.0 and until the present), attribute
values may be denoted by either single or double quotes. Therefore single
quotes need to be escaped just as much as double quotes.
>From the standard:
http://www.w3.org/TR/html4/intro/sgmltut.html#h-3.2.2:
"
By default, SGML requires that all attribute values be delimited using either
double quotation marks (ASCII decimal 34) or single quotation marks (ASCII
decimal 39). Single quote marks can be included within the attribute value when
the value is delimited by double quote marks, and vice versa. Authors may also
use numeric character references to represent double quotes (") and single
quotes ('). For double quotes authors can also use the character entity
reference ".
"
Note that there have been several bugs in the wild in which string encoders use
this library under the hood, and as a result fail to properly escape html
attributes in which user input is stored:
<div title='<%=user_data%>'>Howdy</div>
if user_data = ' onclick='payload' '
then an attacker can inject their code into the page even if the developer is
using the string escape utils to escape the user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
