[
https://issues.apache.org/jira/browse/TEXT-154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rob Spoor closed TEXT-154.
--------------------------
Resolution: Not A Problem
I missed that the / is already escaped. That turns </script> into <\/script>
which does not suffer the same problem.
> StringEscapeUtils.escapeEcmaScript does not escape </script>
> ------------------------------------------------------------
>
> Key: TEXT-154
> URL: https://issues.apache.org/jira/browse/TEXT-154
> Project: Commons Text
> Issue Type: Bug
> Affects Versions: 1.6
> Reporter: Rob Spoor
> Priority: Critical
>
> According to
> [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md,]
> just above RULE #3.1, HTML parsing occurs before JavaScript parsing. That
> means that any </script> will be treated as a script end tag, even if used
> inside a JavaScript string. For instance, the following looks like a script
> end tag inside a string followed by some incorrect syntax:
> {code}<script type="text/javascript">
> var s = 'this is a string with a </script><script
> type="text/javascript">alert("Hi!"); var s = '. Is this still JavaScript?';
> </script>
> {code}
> However, the browser shows the alert. That's because for the browser, these
> are actually two script tags:
> # {code}<script type="text/javascript">
> var s = 'this is a string with a </script>{code}
> # {code}<script type="text/javascript">alert("Hi!"); var s = '. Is this still
> JavaScript?';
> </script>{code}
> This can actually be prevented very easily by escaping {{</script>}} to
> either {{\u003C/script>}} or {{\x3C/script}}. Both mean the same thing as
> {{</script>}} for JavaScript, but the HTML parser will leave it alone.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
