[TEXT-46] StringEscapeUtils.unescapeHtml: handle HTML escapes without semicolon - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 1.x
Labels:
None

Description

org.apache.commons.lang.StringEscapeUtils.unescapeHtml is useful in detecting and correcting Cross-Site Scripting (XSS) attempts by converting escaped chars like &# 60; or & lt; (remove spaces) into normal chars like < so patterns like HTML tags can be detected. Many browsers will allow variations without semicolons, particularly the long UTF-8 encoding like &#0000060. Please see: http://ha.ckers.org/xss.html

Since this may not be standard HTML, maybe adding a boolean bLenient parameter to the method could allow better backward compatibility.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

commons-lang3-LANG-757.patch
14/Nov/12 16:41
11 kB
Duncan Jones

Activity

People

Assignee:: Unassigned

Reporter:: Steve Hale

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Sep/11 15:19

Updated:: 19/May/17 15:44