Open josedefreitasc opened 7 years ago
Technically, escaping apostrophe is not necessary as JSF HTML renderer never renders the apostrophe as attribute value separator and escaping forward slash is not necessary as JSF HTML renderer never renders partial entities.
Please see this important message regarding community contributions to Mojarra.
https://javaee.groups.io/g/jsf-spec/message/30
Also, please consider joining that group, as that group has taken the place of the old dev@javaserverfaces.java.net mailing list.
Thanks,
Ed Burns
Hi,
I was wondering if some security recommendations given by the OWASP could be included in jsf-impl, currently we are making some improvement over the security but we would like to avoid to make changes over the standard version. In this case, the OWASP recommend to escape the characters &, <, >, ", ', / until now the characters that are escaped in the HTMLUtils.java (package com.sun.faces.util) are <,>,&,” without including the single quote and the forward slash. Could this two character be included in the escaped characters for the standard?
Here I share the recommendation from the OWASP: OWASP recomendation
Thanks, José