[ https://issues.apache.org/jira/browse/TEXT-46?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pascal Schumacher moved LANG-757 to TEXT-46: -------------------------------------------- Fix Version/s: (was: Discussion) Component/s: (was: lang.*) Workflow: jira (was: Default workflow, editable Closed status) Key: TEXT-46 (was: LANG-757) Project: Commons Text (was: Commons Lang) > StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon > --------------------------------------------------------------------- > > Key: TEXT-46 > URL: https://issues.apache.org/jira/browse/TEXT-46 > Project: Commons Text > Issue Type: Improvement > Reporter: Steve Hale > Priority: Minor > Attachments: commons-lang3-LANG-757.patch > > > org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting > and correcting Cross-Site Scripting (XSS) attempts by converting escaped > chars like &# 60; or & lt; (remove spaces) into normal chars like < so > patterns like HTML tags can be detected. Many browsers will allow variations > without semicolons, particularly the long UTF-8 encoding like <. > Please see: http://ha.ckers.org/xss.html > Since this may not be standard HTML, maybe adding a boolean bLenient > parameter to the method could allow better backward compatibility. -- This message was sent by Atlassian JIRA (v6.3.4#6332)