vishank848 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
4 stars 2 forks source link

nekohtml fails ESAPI.validator().getValidSafeHTML(); #277

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Calling

ESAPI.validator().getValidSafeHTML();

with 

<scr<script>ipt>

returns

ipt&gt;

The problem is "nekohtml.jar". ESAPI 2.0.1 comes with nekohtml-1.9.12.jar and 
ESAPI 1.4 used another one which has no version in name so I am not sure which 
version it is but it does not matter. 1.4 works correctly but 2.0.1 returns the 
above descripted output. I have tried the latest version of nekohtml which is 
1.9.15 and this one works fine again ("<scr<script>ipt>" => "").

Original issue reported on code.google.com by Christop...@googlemail.com on 18 Jul 2012 at 4:38