[ https://issues.apache.org/jira/browse/TEXT-43?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pascal Schumacher moved LANG-572 to TEXT-43: -------------------------------------------- Fix Version/s: (was: Discussion) Affects Version/s: (was: 2.4) Component/s: (was: lang.*) Workflow: jira (was: Default workflow, editable Closed status) Key: TEXT-43 (was: LANG-572) Project: Commons Text (was: Commons Lang) > [XSS] StringEscapeUtils.escapeHtml() must escape ' chars to ' > ------------------------------------------------------------------ > > Key: TEXT-43 > URL: https://issues.apache.org/jira/browse/TEXT-43 > Project: Commons Text > Issue Type: Improvement > Environment: Operating System: All > Platform: All > Reporter: Keisuke Kato > Priority: Minor > > If developers putting untrusted data into attribute values using the single > quote character ' and StringEscapeUtils.escapeHtml() like: > <input type='text' name='input' > value=*'<%=StringEscapeUtils.escapeHtml(request.getParameter("input"))%>'*> > Then, the attacker is able to break out of the HTML attribute context like: > hxxp://example.org/?input=*' onfocus='alert(document.cookie);' id='* > <input type='text' name='input' > value='*'onfocus='alert(document.cookie);'id='*'> > I think [LANG\-122|https://issues.apache.org/jira/browse/LANG-122] is not > truly fixed from this aspect (XSS). -- This message was sent by Atlassian JIRA (v6.3.4#6332)