commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Ritter <brit...@apache.org>
Subject Re: [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript
Date Wed, 08 Mar 2017 08:51:48 GMT
Hello Yasser,

Sorry for the late reply! I have been on vacation and needed some time to go through all the
mails that have piled up :-)

> Am 27.02.2017 um 15:38 schrieb Yasser Zamani <yasser.zamani@live.com>:
> 
> Hi there,
> 
> I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes 
> `JavaUnicodeEscaper`? is it it's business really? the problem is when we 
> use it to prevent script injection by user, it also replaces user 
> input's unicodes with "\u"s which is not deducted with 
> `escapeEcmaScript' term.

StringEscapeUtils contains general String escaping routines. It does not focus on business
related escaping (how would you draw that line anyway?). escapeEcmaScript just escapes the
characters in a String using EcmaScript String rules.
Can you please provide a failing test case showing the problem you see?

> 
> Another thing is, it replaces e.g. '<' with '&lt;' (html/xml escape) but 
> replace unicode with '\u....' rather than '&#‘?

I fail to understand the problem here. The following test is green:

@Test
public void testEscape() throws Exception {
    assertEquals("< >", StringEscapeUtils.escapeEcmaScript("< >"));
}

So „<" and „>“ are not escaped by escapeEcmaScript..

> 
> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include 
> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?

Again it is because it just escapes according to EcmaScript escaping rules.

Hope that helps!
Regards,
Benedikt

> 
> Thanks in advance!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message