[
https://issues.apache.org/jira/browse/TEXT-42?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862424#comment-15862424
]
Rob Tompkins commented on TEXT-42:
----------------------------------
I'm fairly neutral on new methods. I doubt adding something named "secureFoo"
would ever be reasonable because it's the virtue of the name seems to indicate
that it's entirely secure. Whereas, that seems difficult to achieve because
security is determined by the usage context.
Sebb's point:
bq. I guess the question is: would using hex-encoding for all but alphanumeric
characters break any scripts?
seems reasonable, maybe we could implement such a method named something like
"escapeEcmaWithHexEncodingsScript" after some exploration has been done to
resolve that question.
> [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?
> ------------------------------------------------------------------
>
> Key: TEXT-42
> URL: https://issues.apache.org/jira/browse/TEXT-42
> Project: Commons Text
> Issue Type: Bug
> Reporter: Andy Reek
> Labels: XSS
> Fix For: 1.x
>
>
> org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape
> via a prefixed '\' on all characters which must be escaped. I am not sure if
> this is really secure, if am looking at the comments on
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values.
> They say it is possible to do an attack by escape the escape. I tested this
> with the string '\"' and the output was '\\\"'. Is this really
> ecma-/java-script secure? Or is it better to use the implementation used by
> OWASP?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
