Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5387

Apache commons URIUtil is potentially unsafe

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.5 M1, 2.4.4
    • 2.2.6, 2.3.2, 2.4
    • {Unused} Core
    • None
    • security, xss, patch
    • Trivial

    Description

      The org.apache.commons.httpclient.util.URIUtil used in com.xpn.xwiki.util.Util is unsafe to use for URL escaping, because it does not escape the ' (apostrophe character). This can lead to XSS e.g. if used inside JavaScript or HTML tag attributes, since it is legitimate to use apostrophes there too.

      The default java.net.URLEncoder or org.apache.velocity.tools.generic.EscapeTool is much better in this respect.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5448 Specials characters do not work with access right

          • Major - Major loss of function.
          • Closed

          Activity

            People

              nickless Alex Busenius
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: