Artem Bilan (Migrated from SEC-1865) said:
As it is described by link (it isn't actual) from TextEscapeUtils's JavaDocs, algorithm in the TextEscapeUtils.escapeEntities doesn't work correctly for preventing XSS.
So, how about to follow with ESAPI?
Luke Taylor said:
This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true.
Artem Bilan said:
Ok, Luke, thank you.
No problem! I understand your opinion.
So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.
Yes, that's definitely a good idea, since the original code is no longer there.
Rob Winch said:
Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch