[jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
[ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Henri Yandell updated LANG-757: --- Fix Version/s: Discussion StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon - Key: LANG-757 URL: https://issues.apache.org/jira/browse/LANG-757 Project: Commons Lang Issue Type: Improvement Components: lang.* Reporter: Steve Hale Priority: Minor Fix For: Discussion Attachments: commons-lang3-LANG-757.patch org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like # 60; or lt; (remove spaces) into normal chars like so patterns like HTML tags can be detected. Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like #060. Please see: http://ha.ckers.org/xss.html Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
[ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Duncan Jones updated LANG-757: -- Attachment: (was: commons-lang3-LANG-757.patch) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon - Key: LANG-757 URL: https://issues.apache.org/jira/browse/LANG-757 Project: Commons Lang Issue Type: Improvement Components: lang.* Affects Versions: 2.x Reporter: Steve Hale Priority: Minor Attachments: commons-lang3-LANG-757.patch org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like # 60; or lt; (remove spaces) into normal chars like so patterns like HTML tags can be detected. Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like #060. Please see: http://ha.ckers.org/xss.html Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
[ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Duncan Jones updated LANG-757: -- Attachment: commons-lang3-LANG-757.patch New patch reverts public method to private and adds comment explaining the simplistic removal of the semicolon. StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon - Key: LANG-757 URL: https://issues.apache.org/jira/browse/LANG-757 Project: Commons Lang Issue Type: Improvement Components: lang.* Affects Versions: 2.x Reporter: Steve Hale Priority: Minor Attachments: commons-lang3-LANG-757.patch org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like # 60; or lt; (remove spaces) into normal chars like so patterns like HTML tags can be detected. Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like #060. Please see: http://ha.ckers.org/xss.html Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (LANG-757) StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon
[ https://issues.apache.org/jira/browse/LANG-757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Duncan Jones updated LANG-757: -- Attachment: commons-lang3-LANG-757.patch Attached is a patch that adds overloaded unescapeHtml3 and unescapeHtml4 methods, which accept a boolean parameter to indicate if semicolons are optional (plus tests). StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon - Key: LANG-757 URL: https://issues.apache.org/jira/browse/LANG-757 Project: Commons Lang Issue Type: Improvement Components: lang.* Affects Versions: 2.x Reporter: Steve Hale Priority: Minor Attachments: commons-lang3-LANG-757.patch org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like # 60; or lt; (remove spaces) into normal chars like so patterns like HTML tags can be detected. Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like #060. Please see: http://ha.ckers.org/xss.html Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
