[ https://issues.apache.org/jira/browse/TEXT-215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bruno P. Kinoshita updated TEXT-215: ------------------------------------ Assignee: Bruno P. Kinoshita > NumericEntityUnescaper may miss decimal entity > ---------------------------------------------- > > Key: TEXT-215 > URL: https://issues.apache.org/jira/browse/TEXT-215 > Project: Commons Text > Issue Type: Bug > Affects Versions: 1.0 > Reporter: Richard Bunel > Assignee: Bruno P. Kinoshita > Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > *Description:* > A security breach can be used in the NumericEntityUnescaper through the use > of decimal character entities. > At > [line|https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/translate/NumericEntityUnescaper.java#L117] > 117 a string of hexadecimal characters are searched, whether or not the > entity is an hexadecimal one. > Therefore, if the "semiColonOptional" option is enabled and a deicmal entity > without semi-colon is immediately followed by one or several letters from A > to F, these letters will be caught. The Integer parsing with a radix at 10 > will then fail and the whole entity will be ignored. > *Example:* > If one uses the following string: > {code:java} > <iframe src=\"javascript:alert(1)\">{code} > The sequence identifying the entity will wrongly be "ja" instead of > "j". > As "ja" is not a valid decimal entity, its Integer parsing fails and the > whole entity remains escaped. > Such code would then trigger the alert on all modern browsers. > *Solution:* > The fix for this is to restrict hexadecimal characters to hexadecimal > entities and decimal characters to decimal entities. -- This message was sent by Atlassian Jira (v8.20.7#820007)