[TEXT-42] [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript? (original) (raw)

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 1.x
Labels:
- XSS

Description

org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript does the escape via a prefixed '\' on all characters which must be escaped. I am not sure if this is really secure, if am looking at the comments on https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values. They say it is possible to do an attack by escape the escape. I tested this with the string '\"' and the output was '\\\"'. Is this really ecma-/java-script secure? Or is it better to use the implementation used by OWASP?

Attachments

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. TEXT-52 [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScrip better javadoc

Closed

[TEXT-42] [XSS] Possible attacks through StringEscapeUtils.escapeEcmaScript? (original) (raw)

Details

Description

Attachments

Issue Links

Activity