This repository has been archived by the owner on Mar 20, 2021. It is now read-only.
OWASP character escape recomendation that could be applied for HTMLUtils.java #4251
Comments
|
Technically, escaping apostrophe is not necessary as JSF HTML renderer never renders the apostrophe as attribute value separator and escaping forward slash is not necessary as JSF HTML renderer never renders partial entities. |
|
Please see this important message regarding community contributions to https://javaee.groups.io/g/jsf-spec/message/30 Also, please consider joining that group, as that group has taken the Thanks, Ed Burns |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
I was wondering if some security recommendations given by the OWASP could be included in jsf-impl, currently we are making some improvement over the security but we would like to avoid to make changes over the standard version. In this case, the OWASP recommend to escape the characters &, <, >, ", ', / until now the characters that are escaped in the HTMLUtils.java (package com.sun.faces.util) are <,>,&,” without including the single quote and the forward slash. Could this two character be included in the escaped characters for the standard?
Here I share the recommendation from the OWASP: OWASP recomendation
Thanks,
José
The text was updated successfully, but these errors were encountered: