SEC-1420: Add htmlEscape option to allow disabling of character escaping in authentication tag #1663

Closed
spring-issuemaster opened this Issue Feb 24, 2010 · 4 comments

1 participant

@spring-issuemaster

masrawi (Migrated from SEC-1420) said:

if the user name was mark.mueller, upgrading to 3.0.2 the would return instead of as usual mark.mueller -> mark.mueller

@spring-issuemaster

Luke Taylor said:

What is the actual problem that this causes? The HTML encoding used by the tag was updated based on the OWASP guidelines: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java.

@spring-issuemaster

masrawi said:

Hi Luke and thanks for the quick reply,
the problem is that the user name is later used as an argument to a link and escaping in that way makes it just does not work.
I can understand that if that was a "special" character but a dot is not and even in the link you sent the method Character.isDefined() is commented // paranoid version
and the recommended java implementation in the link: org.apache.commons.lang.StringEscapeUtils.escapeHtml(".") will not escape a dot ;-)

@spring-issuemaster

Luke Taylor said:

I'm still not quite clear exactly what you're doing. What do you mean by "the user namne is later used as an argument to a link". The tag is intended for rendering values directly as HTML, so I think the same issue could occur with other characters - making an exception for "." is really just adding a workaround for one specific case. We could add an htmlEscape property, similar to the one used in Spring.

@spring-issuemaster

Luke Taylor said:

I've added support for this in the 3.0.x and master branches. Please give it a try.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment