Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-3135

In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists

    XMLWordPrintableJSON

Details

    Description

      It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
      so it will never return &sup2 or &sup3 because &sup exists, neither &piv
      because &pi exists and all other entities where a shorter entity exists.

      See bug reports :
      http://code.google.com/p/owasp-esapi-java/issues/detail?id=45

      Attach is a recompile patched version of the library based on
      owasp-esapi-java-src-1.4.zip
      and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java

      Attachments

        1. patch-owasp-1.4.diff
          31 kB
          Patrick Antivackis
        2. owasp-esapi-full-java-1.4.jar
          135 kB
          Patrick Antivackis

        Issue Links

          relates to

          Task - A task that needs to be done. OFBIZ-5343 Update owasp-esapi-java

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              patrick.antivackis Patrick Antivackis
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: