Spring Security
  1. Spring Security
  2. SEC-1865

TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.7, 3.1.0
    • Fix Version/s: 3.0.8, 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      As it is described by link (it isn't actual) from TextEscapeUtils's JavaDocs, algorithm in the TextEscapeUtils.escapeEntities doesn't work correctly for preventing XSS.
      So, how about to follow with ESAPI?

        Activity

        Hide
        Luke Taylor added a comment - - edited

        This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true.

        Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.

        Show
        Luke Taylor added a comment - - edited This class is only intended for internal use (and is labelled as such), so you shouldn't really be using it in your application. It is only used when the authentication JSP tag is used to render data into a JSP, and the htmlEscape flag is set to true. Ultimately it is the user's responsibility to decide whether this is adequate, since only they know the context in which the data is being rendered (HTML, Javascript, css, whatever). It's not really clear how using ESAPI is relevant here. If you want to use ESAPI to escape the data you are displaying in whatever view technology you are using, then that is probably a good idea, but it's not something that Spring Security can do for you.
        Hide
        Artem Bilan added a comment -

        Ok, Luke, thank you.
        No problem! I understand your opinion.
        So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.

        Show
        Artem Bilan added a comment - Ok, Luke, thank you. No problem! I understand your opinion. So, maybe it wiil be good idea to remove OWASP link from JavaDoc of TextEscapeUtils, because it isn't actual this class doesn't do what OWASP describes.
        Hide
        Luke Taylor added a comment -

        Yes, that's definitely a good idea, since the original code is no longer there.

        Show
        Luke Taylor added a comment - Yes, that's definitely a good idea, since the original code is no longer there.
        Hide
        Rob Winch added a comment -

        Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

        Show
        Rob Winch added a comment - Thank you for taking the time to report this. I have pushed a fix to master and the 3.0.x branch

          People

          • Assignee:
            Rob Winch
            Reporter:
            Artem Bilan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified