Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1420: Add htmlEscape option to allow disabling of character escaping in authentication tag #1663

Closed
spring-issuemaster opened this Issue Feb 24, 2010 · 4 comments

Comments

Projects
None yet
1 participant

masrawi (Migrated from SEC-1420) said:

if the user name was mark.mueller, upgrading to 3.0.2 the <authz:authentication property="principal.username" /> would return instead of as usual mark.mueller -> mark.mueller

Luke Taylor said:

What is the actual problem that this causes? The HTML encoding used by the tag was updated based on the OWASP guidelines: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java.

masrawi said:

Hi Luke and thanks for the quick reply,
the problem is that the user name is later used as an argument to a link and escaping in that way makes it just does not work.
I can understand that if that was a "special" character but a dot is not and even in the link you sent the method Character.isDefined() is commented // paranoid version
and the recommended java implementation in the link: org.apache.commons.lang.StringEscapeUtils.escapeHtml(".") will not escape a dot ;-)

Luke Taylor said:

I'm still not quite clear exactly what you're doing. What do you mean by "the user namne is later used as an argument to a link". The tag is intended for rendering values directly as HTML, so I think the same issue could occur with other characters - making an exception for "." is really just adding a workaround for one specific case. We could add an htmlEscape property, similar to the one used in Spring.

Luke Taylor said:

I've added support for this in the 3.0.x and master branches. Please give it a try.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment