Matt Austin created MYFACES-4238:
------------------------------------

             Summary: Single quote not properly encoded in 
renderkit.html.util.HTMLEncoder
                 Key: MYFACES-4238
                 URL: https://issues.apache.org/jira/browse/MYFACES-4238
             Project: MyFaces Core
          Issue Type: Bug
          Components: General
    Affects Versions: 2.3.1
            Reporter: Matt Austin


Single quotes can be used to enclose HTML attributes: 
{code:java}
<img src='userInput' />{code}
However only double quotes are encoded. 

As OWASP describes single quotes should also be encoded as &#x27;
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

See the following example: 

{code:java}

import org.apache.myfaces.shared.renderkit.html.util.*;
import java.io.IOException;
import java.io.StringWriter;

public class FaceTest {
  private static StringWriter userInput;

  public static void main(String[] args) throws IOException {
      userInput = new StringWriter(40);
      HTMLEncoder.encode(userInput, "x onerror='alert(1);'//");
      System.out.println("<img src='"+ userInput.toString() +"' />");
  }

}{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to