search

slocumbf / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

htmlCodec.decode is broken for all entities where entity.substr(0, x) exist #45

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Test cases :

        assertEquals( "²", htmlCodec.decode("&sup2") );        
        assertEquals( "²", htmlCodec.decode("²") );

return ⊃2 instead of ².

It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
so it will never return &sup2 or &sup3 because &sup exists, neither &piv
because &pi exists and may be other.

Attach is patch and test case added

Original issue reported on code.google.com by patrick....@gmail.com on 30 Oct 2009 at 11:06

Attachments:

GoogleCodeExporter commented 9 years ago 
Forgot : Affect all version until trunk

Original comment by patrick....@gmail.com on 30 Oct 2009 at 11:10

GoogleCodeExporter commented 9 years ago 
I'm working on a JavaScript version and had some thoughts on this class anyway 
so
I'll take a look at this when I have a chance.

Thanks for the patch!

Original comment by schal...@darkmist.net on 4 Nov 2009 at 9:10

GoogleCodeExporter commented 9 years ago 
Hi,
Patrick filled a Jira at https://issues.apache.org/jira/browse/OFBIZ-3135
So we, at Apache OFBiz, are also interested by this bug.
Of course it's not high priority

Thanks

Original comment by jacques....@gmail.com on 4 Nov 2009 at 11:24

GoogleCodeExporter commented 9 years ago 
I had a look at the patch and it works for the specific case but not the 
general. The
patch provided checks for a match at the next character after one match. This 
works
for the cases described but does not work for cases where two entities start 
with the
same sequence but differ by more than one character in length. I can only find 
one
with this issue (theta & thetasym). I'll try to put together a better fix after 
I get
the kids to bed;)

Original comment by schal...@darkmist.net on 6 Nov 2009 at 1:52

GoogleCodeExporter commented 9 years ago 
This should be fixed in revision 755. Please give it a try and report back if 
you would.

Thanks

Original comment by schal...@darkmist.net on 6 Nov 2009 at 4:53

GoogleCodeExporter commented 9 years ago 
Thank you, fix is working well

Original comment by patrick....@gmail.com on 12 Nov 2009 at 8:32