Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-9983

o.s.web.util.JavaScriptUtils.javaScriptEscape insufficiently escapes some characters

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 3.0 GA, 3.1 GA, 3.2 RC1
    • Fix Version/s: 3.2.2
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      JavaScriptUtils.javaScriptEscape() currently does not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context.

      ECMAScript 5.1 (ECMA 262) [1] defines a line terminator as either U+000A (LF), U+000D (CR), U+2028 (PS), or U+2029 (LS). Line terminators are disallowed in either string context. Their inclusion ought to result in a parse error if inserted without escaping. The javaScriptEscape() method currently escapes U+000A and removes U+000D.

      HTML 5's Tokenizer defines different states that can occur within a <script> tag [2]. If the value "<!--" is inserted, the tokenizer will be at the "Script data escaped dash dash state". From here, one can insert "<script>" and be at the "Script data double escaped state". These states are respected by HTML 5 capable browser. If the state is changed without closing the state, a parse error ought to occur.

      The escaper should be updated to Unicode escape PS, LS, "<", and ">" characters. This should prevent parse errors in most applications and potential security side effects in some applications (e.g. disabling of frame breaking JS).

      [1] http://www.ecma-international.org/publications/standards/Ecma-262.htm
      [2] http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#script-data-state

        Attachments

          Activity

            People

            • Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              jonpasski Jon Passki
              Last updater:
              Jon Passki
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 32 weeks, 5 days ago