Repository: commons-text Updated Branches: refs/heads/master ba4e4932f -> e1d091c90
TEXT-52: Javadoc for XSS on escapeEcmaScript Project: http://git-wip-us.apache.org/repos/asf/commons-text/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-text/commit/e1d091c9 Tree: http://git-wip-us.apache.org/repos/asf/commons-text/tree/e1d091c9 Diff: http://git-wip-us.apache.org/repos/asf/commons-text/diff/e1d091c9 Branch: refs/heads/master Commit: e1d091c90917e9317c2c021298c9bfa94b64b469 Parents: ba4e493 Author: Rob Tompkins <chtom...@gmail.com> Authored: Mon Jan 2 10:02:13 2017 -0500 Committer: Rob Tompkins <chtom...@gmail.com> Committed: Mon Jan 2 10:02:13 2017 -0500 ---------------------------------------------------------------------- src/main/java/org/apache/commons/text/StringEscapeUtils.java | 8 ++++++++ .../commons/text/translate/SingleLookupTranslator.java | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-text/blob/e1d091c9/src/main/java/org/apache/commons/text/StringEscapeUtils.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/commons/text/StringEscapeUtils.java b/src/main/java/org/apache/commons/text/StringEscapeUtils.java index 69ec2a1..57eb92a 100644 --- a/src/main/java/org/apache/commons/text/StringEscapeUtils.java +++ b/src/main/java/org/apache/commons/text/StringEscapeUtils.java @@ -612,6 +612,14 @@ public class StringEscapeUtils { * output string: He didn\'t say, \"Stop!\" * </pre> * + * <b>Security Note.</b> We only provide backslash escaping in this method. For example, {@code '\"'} has the output + * {@code '\\\"'} which could result in potential issues in the case where the string being escaped is being used + * in an HTML tag like {@code <select onmouseover="..." />}. If you wish to have more rigorous string escaping, you + * may consider the + * <a href="https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API_JAVA">ESAPI Libraries</a>. Further, + * you can view the + * <a href="https://github.com/esapi">ESAPI GitHub Org</a>. + * * @param input String to escape values in, may be null * @return String with escaped values, {@code null} if null string input */ http://git-wip-us.apache.org/repos/asf/commons-text/blob/e1d091c9/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java b/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java index 0b9117e..e52daf8 100644 --- a/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java +++ b/src/main/java/org/apache/commons/text/translate/SingleLookupTranslator.java @@ -33,7 +33,7 @@ public class SingleLookupTranslator extends CharSequenceTranslator { * lookup table passed to this instance while deciding whether a value is * already translated or not. * - * @param inputArrays + * @param inputArrays, an array of string arrays. */ public SingleLookupTranslator(final String[][]... inputArrays) { String[][] lookup = new String[0][];