Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1865

TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.7, 3.1.0
    • Fix Version/s: 3.0.8, 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      As it is described by link (it isn't actual) from TextEscapeUtils's JavaDocs, algorithm in the TextEscapeUtils.escapeEntities doesn't work correctly for preventing XSS.
      So, how about to follow with ESAPI?

        Activity

        Hide
        luke Luke Taylor added a comment - - edited

        This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true.

        Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.

        Show
        luke Luke Taylor added a comment - - edited This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true. Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.
        Hide
        abilan Artem Bilan added a comment -

        Ok, Luke, thank you.
        No problem! I understand your opinion.
        So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.

        Show
        abilan Artem Bilan added a comment - Ok, Luke, thank you. No problem! I understand your opinion. So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.
        Hide
        luke Luke Taylor added a comment -

        Yes, that's definitely a good idea, since the original code is no longer there.

        Show
        luke Luke Taylor added a comment - Yes, that's definitely a good idea, since the original code is no longer there.
        Hide
        rwinch Rob Winch added a comment -

        Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

        Show
        rwinch Rob Winch added a comment - Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

          People

          • Assignee:
            rwinch Rob Winch
            Reporter:
            abilan Artem Bilan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified