Uploaded image for project: 'Commons Text'
  1. Commons Text
  2. TEXT-43

[XSS] StringEscapeUtils.escapeHtml() must escape ' chars to '

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Reopened
    • Minor
    • Resolution: Unresolved
    • None
    • 1.x
    • None
    • Operating System: All
      Platform: All

    Description

      If developers putting untrusted data into attribute values using the single quote character ' and StringEscapeUtils.escapeHtml() like:

      <input type='text' name='input' value='<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'>

      Then, the attacker is able to break out of the HTML attribute context like:

      hxxp://example.org/?input=' onfocus='alert(document.cookie);' id='
      <input type='text' name='input' value=''onfocus='alert(document.cookie);'id=''>

      I think LANG-122 is not truly fixed from this aspect (XSS).

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. LANG-1042 StringEscapeUtils.escapeHtml() does not escape single quote

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              k.kato Keisuke Kato
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: