Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding HTML encoding to default 404 error message. #566

Open
wants to merge 1 commit into
base: 2.4.x
Choose a base branch
from
Open

Adding HTML encoding to default 404 error message. #566

wants to merge 1 commit into from

Conversation

jaxley
Copy link

@jaxley jaxley commented Apr 7, 2016

No description provided.

@rossabaker
Copy link
Member

I like the idea, but spring-web seems heavy for HTML escaping. Could we just implement that as a function and not take on more weight?

@jaxley
Copy link
Author

jaxley commented Apr 7, 2016

Their library is one of the best for doing HTML encoding. Can you
implement the similar logic? It should ideally match their implementation.

-Jason

On Thu, Apr 7, 2016 at 1:15 PM Ross A. Baker notifications@github.com
wrote:

I like the idea, but spring-web seems heavy for HTML escaping. Could we
just implement that as a function and not take on more weight?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#566 (comment)

@rossabaker
Copy link
Member

Would scala.xml.Utility.escape get the job done?

@jaxley
Copy link
Author

jaxley commented Apr 9, 2016

Absolutely not. XML encoding only tends to encode the main metacharacters
of XML and leave all other characters unencoded, leaving lots of room for
shenanigans. It's best practice to encode as much as you can of the
special characters. Plus, HTML encoders deal with the wide variety of
named entities in HTML that aren't in XML.

Scalatra really should not be taking on the task of building and
maintaining an secure HTML encoder IMO. Is spring-web really that large
that it's worth taking on this burden and risk? You could use OWASP
ESAPI's HTML encoder as well, but that library has not necessarily been
maintained tightly and is not a flagship OWASP tool.

-Jason
On Fri, Apr 8, 2016, 9:04 PM Ross A. Baker notifications@github.com wrote:

Would scala.xml.Utility.escape get the job done?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#566 (comment)

@rossabaker
Copy link
Member

I agree that we would not want to maintain a general purpose HTML encoder. But the rules are context sensitive. This context is the one described by Rule 1 of the OWASP guidelines, which is the simple one.

I took a closer look at scala.xml.Utility, and it misses ' and /. So that's out. But spring-web seems like bloat for a function that needs to sanitize six characters.

@pgingras
Copy link
Contributor

Is there any follow up on this PR? It's a fix I would need at work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jaxley @rossabaker @pgingras