Uploaded image for project: 'Commons Text'
  1. Commons Text
  2. TEXT-42

[XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript?

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • 1.x

    Description

      org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape via a prefixed '\' on all characters which must be escaped. I am not sure if this is really secure, if am looking at the comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values. They say it is possible to do an attack by escape the escape. I tested this with the string '\"' and the output was '\\\"'. Is this really ecma-/java-script secure? Or is it better to use the implementation used by OWASP?

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. TEXT-52 [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScrip better javadoc

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              aree Andy Reek
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: