search

javaee / mojarra

PLEASE NOTE: This project has moved to Eclipse Foundation and will be archived under the JavaEE GitHub Organization. After Feb. 1, 2021, the new location will be github.com/javaee/mojarra. Mojarra - Oracle's implementation of the JavaServer Faces specification
https://github.com/eclipse-ee4j/mojarra
Other
164 stars 58 forks source link

OWASP character escape recomendation that could be applied for HTMLUtils.java #4251

Open josedefreitasc opened 7 years ago

josedefreitasc commented 7 years ago

Hi,

I was wondering if some security recommendations given by the OWASP could be included in jsf-impl, currently we are making some improvement over the security but we would like to avoid to make changes over the standard version. In this case, the OWASP recommend to escape the characters &, <, >, ", ', / until now the characters that are escaped in the HTMLUtils.java (package com.sun.faces.util) are <,>,&,” without including the single quote and the forward slash. Could this two character be included in the escaped characters for the standard?

Here I share the recommendation from the OWASP: OWASP recomendation

Thanks, José

BalusC commented 6 years ago

Technically, escaping apostrophe is not necessary as JSF HTML renderer never renders the apostrophe as attribute value separator and escaping forward slash is not necessary as JSF HTML renderer never renders partial entities.

edburns commented 6 years ago

Please see this important message regarding community contributions to Mojarra.

https://javaee.groups.io/g/jsf-spec/message/30

Also, please consider joining that group, as that group has taken the place of the old dev@javaserverfaces.java.net mailing list.

Thanks,

Ed Burns