Spring Security
  1. Spring Security
  2. SEC-1420

Add htmlEscape option to allow disabling of character escaping in authentication tag

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: None
    • Labels:
      None

      Description

      if the user name was mark.mueller, upgrading to 3.0.2 the <authz:authentication property="principal.username" /> would return instead of as usual mark.mueller -> mark.mueller

        Activity

        Hide
        Luke Taylor added a comment -

        What is the actual problem that this causes? The HTML encoding used by the tag was updated based on the OWASP guidelines: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java.

        Show
        Luke Taylor added a comment - What is the actual problem that this causes? The HTML encoding used by the tag was updated based on the OWASP guidelines: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java .
        Hide
        masrawi added a comment -

        Hi Luke and thanks for the quick reply,
        the problem is that the user name is later used as an argument to a link and escaping in that way makes it just does not work.
        I can understand that if that was a "special" character but a dot is not and even in the link you sent the method Character.isDefined() is commented // paranoid version
        and the recommended java implementation in the link: org.apache.commons.lang.StringEscapeUtils.escapeHtml(".") will not escape a dot

        Show
        masrawi added a comment - Hi Luke and thanks for the quick reply, the problem is that the user name is later used as an argument to a link and escaping in that way makes it just does not work. I can understand that if that was a "special" character but a dot is not and even in the link you sent the method Character.isDefined() is commented // paranoid version and the recommended java implementation in the link: org.apache.commons.lang.StringEscapeUtils.escapeHtml(".") will not escape a dot
        Hide
        Luke Taylor added a comment -

        I'm still not quite clear exactly what you're doing. What do you mean by "the user namne is later used as an argument to a link". The tag is intended for rendering values directly as HTML, so I think the same issue could occur with other characters - making an exception for "." is really just adding a workaround for one specific case. We could add an htmlEscape property, similar to the one used in Spring.

        Show
        Luke Taylor added a comment - I'm still not quite clear exactly what you're doing. What do you mean by "the user namne is later used as an argument to a link". The tag is intended for rendering values directly as HTML, so I think the same issue could occur with other characters - making an exception for "." is really just adding a workaround for one specific case. We could add an htmlEscape property, similar to the one used in Spring.
        Hide
        Luke Taylor added a comment -

        I've added support for this in the 3.0.x and master branches. Please give it a try.

        Show
        Luke Taylor added a comment - I've added support for this in the 3.0.x and master branches. Please give it a try.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            masrawi
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: