[
https://issues.apache.org/jira/browse/TEXT-215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruno P. Kinoshita updated TEXT-215:
------------------------------------
Assignee: Bruno P. Kinoshita
> NumericEntityUnescaper may miss decimal entity
> ----------------------------------------------
>
> Key: TEXT-215
> URL: https://issues.apache.org/jira/browse/TEXT-215
> Project: Commons Text
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Richard Bunel
> Assignee: Bruno P. Kinoshita
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> *Description:*
> A security breach can be used in the NumericEntityUnescaper through the use
> of decimal character entities.
> At
> [line|https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/translate/NumericEntityUnescaper.java#L117]
> 117 a string of hexadecimal characters are searched, whether or not the
> entity is an hexadecimal one.
> Therefore, if the "semiColonOptional" option is enabled and a deicmal entity
> without semi-colon is immediately followed by one or several letters from A
> to F, these letters will be caught. The Integer parsing with a radix at 10
> will then fail and the whole entity will be ignored.
> *Example:*
> If one uses the following string:
> {code:java}
> <iframe src=\"javascript:alert(1)\">{code}
> The sequence identifying the entity will wrongly be "ja" instead of
> "j".
> As "ja" is not a valid decimal entity, its Integer parsing fails and the
> whole entity remains escaped.
> Such code would then trigger the alert on all modern browsers.
> *Solution:*
> The fix for this is to restrict hexadecimal characters to hexadecimal
> entities and decimal characters to decimal entities.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
