Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1865: TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS #2075

spring-issuemaster opened this Issue Dec 9, 2011 · 4 comments


None yet
2 participants

Artem Bilan (Migrated from SEC-1865) said:

As it is described by link (it isn't actual) from TextEscapeUtils's JavaDocs, algorithm in the TextEscapeUtils.escapeEntities doesn't work correctly for preventing XSS.
So, how about to follow with ESAPI?

Luke Taylor said:

This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true.

Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.

Artem Bilan said:

Ok, Luke, thank you.
No problem! I understand your opinion.
So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.

Luke Taylor said:

Yes, that's definitely a good idea, since the original code is no longer there.

Rob Winch said:

Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment