Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-4238

Single quote not properly encoded in renderkit.html.util.HTMLEncoder

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 2.3.1
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None

      Description

      Single quotes can be used to enclose HTML attributes: 

      <img src='userInput' />

      However only double quotes are encoded. 

      As OWASP describes single quotes should also be encoded as '
      https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

      See the following example:

      import org.apache.myfaces.shared.renderkit.html.util.*;
      import java.io.IOException;
      import java.io.StringWriter;
      
      public class FaceTest {
        private static StringWriter userInput;
      
        public static void main(String[] args) throws IOException {
            userInput = new StringWriter(40);
            HTMLEncoder.encode(userInput, "x' onerror='alert(1);'//");
            System.out.println("<img src='"+ userInput.toString() +"' />");
        }
      
      }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mattaustin Matt Austin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: