[
https://issues.apache.org/jira/browse/LANG-1042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14162966#comment-14162966
]
Robert Sussland edited comment on LANG-1042 at 10/8/14 2:35 AM:
----------------------------------------------------------------
Sorry for not being clear. Generally the escaping is done on user data that is
quoted in the template -- you wouldn't escape the entire template. A simple
example, without a template, would be
{code:title=Bar.java|borderStyle=solid}
public class Sample {
public static void main(String[] args) {
String taint = '\' onclick=\'payload\' ';
//now we should be able to safely assign to an html attribute
String escaped = StringEscapeUtils.escapeHtml3(taint);
String generatedHtml = '<div title=\' ' + escaped + '\'>Howdy</div>';
System.out.println(generatedHtml); //'<div title=' ' onclick='alert(1)'
''>Howdy</div> is unsafe for html rendering
}
}
{code}
was (Author: rsussland):
Sorry for not being clear. Generally the escaping is done on user data that is
quoted in the template -- you wouldn't escape the entire template. A simple
example, without a template, would be
{code:title=Bar.java|borderStyle=solid}
public class Sample {
public static void main(String[] args) {
String taint = '\' onclick=\'payload\' ';
//now we should be able to safely assign to an html attribute
String escaped = StringEscapeUtils.escapeHtml3(taint);
String generatedHtml = '<div title=\' ' + escaped + '\'>Howdy</div>';
System.out.println(s); //'<div title=' ' onclick='alert(1)' ''>Howdy</div>
is unsafe for html rendering
}
}
{code}
> StringEscapeUtils.escapeHtml() does not escape single quote
> -----------------------------------------------------------
>
> Key: LANG-1042
> URL: https://issues.apache.org/jira/browse/LANG-1042
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Robert Sussland
> Priority: Critical
>
> The String Escape Utils should ensure that encoded data cannot escape from a
> string. However in HTML (starting with 1.0 and until the present), attribute
> values may be denoted by either single or double quotes. Therefore single
> quotes need to be escaped just as much as double quotes.
> From the standard:
> http://www.w3.org/TR/html4/intro/sgmltut.html#h-3.2.2:
> "
> By default, SGML requires that all attribute values be delimited using either
> double quotation marks (ASCII decimal 34) or single quotation marks (ASCII
> decimal 39). Single quote marks can be included within the attribute value
> when the value is delimited by double quote marks, and vice versa. Authors
> may also use numeric character references to represent double quotes (")
> and single quotes ('). For double quotes authors can also use the
> character entity reference ".
> "
> Note that there have been several bugs in the wild in which string encoders
> use this library under the hood, and as a result fail to properly escape html
> attributes in which user input is stored:
> <div title='<%=user_data%>'>Howdy</div>
> if user_data = ' onclick='payload' '
> then an attacker can inject their code into the page even if the developer is
> using the string escape utils to escape the user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
