SEC-1865: TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS #2075

Closed
spring-issuemaster opened this Issue Dec 9, 2011 · 4 comments

2 participants

@spring-issuemaster

Artem Bilan (Migrated from SEC-1865) said:

As it is described by link (it isn't actual) from TextEscapeUtils's JavaDocs, algorithm in the TextEscapeUtils.escapeEntities doesn't work correctly for preventing XSS.
So, how about to follow with ESAPI?

@spring-issuemaster

Luke Taylor said:

This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true.

Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.

@spring-issuemaster

Artem Bilan said:

Ok, Luke, thank you.
No problem! I understand your opinion.
So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.

@spring-issuemaster

Luke Taylor said:

Yes, that's definitely a good idea, since the original code is no longer there.

@spring-issuemaster

Rob Winch said:

Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment