Matt Austin created MYFACES-4238:
------------------------------------
Summary: Single quote not properly encoded in
renderkit.html.util.HTMLEncoder
Key: MYFACES-4238
URL: https://issues.apache.org/jira/browse/MYFACES-4238
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 2.3.1
Reporter: Matt Austin
Single quotes can be used to enclose HTML attributes:
{code:java}
<img src='userInput' />{code}
However only double quotes are encoded.
As OWASP describes single quotes should also be encoded as '
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
See the following example:
{code:java}
import org.apache.myfaces.shared.renderkit.html.util.*;
import java.io.IOException;
import java.io.StringWriter;
public class FaceTest {
private static StringWriter userInput;
public static void main(String[] args) throws IOException {
userInput = new StringWriter(40);
HTMLEncoder.encode(userInput, "x onerror='alert(1);'//");
System.out.println("<img src='"+ userInput.toString() +"' />");
}
}{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
