29

I've been tasked with updating our code from using org.apache.commons.lang to org.apache.commons.lang3 and I've found that the newer version of StringEscapeUtils no longer has the method escapeJavaScript() however we were using this in quite a few places throughout our code.

I've been reading through the documentation and it seems that the whole of StringEscapeUtils was rewritten for lang3 (see release notes lang 3.3.2) and with this rewrite they removed escapeJavaScript() however they haven't said what to use as an alternative in any of their documentation (Not that I can see anyway). Here's the what's new documentation.

So my question is I can't be the only one to have noticed this and experienced this issue so what is the alternative to using StringEscapeUtils.escapeJavaScript()?

Popeye
  • 11,839
  • 9
  • 58
  • 91
  • It would be interesting to know why someone thinks this is off-topic because it is asking FOR off-site resources and why they think it should be closed. I'm not asking for off-site resources I have the resource it's `commons lang3` I'm asking for an alternative work around to replace that of `escapeJavaScript` and whether there is an alternative held within the `commons lang3` code itself. Please detail why you believe this is off-topic – Popeye Mar 19 '15 at 14:04
  • 1
    Thanks for asking this. I discovered the same thing today and couldn't find any reference to it in the commons doc. – Jeremy Goodell Dec 21 '15 at 19:04

3 Answers3

33

Either of escapeEcmaScript or escapeJson would be a suitable replacement.

Ian Roberts
  • 120,891
  • 16
  • 170
  • 183
  • 9
    Doing a little digging into the `escapeEcmaScript` I've found that essentially when they re-wrote the `StringEscapeUtils` class they decided to give it a name change as essentially the method was changing to cover all the ECMA standard Languages such as `JScript`, `JavaScript` and `ActionScript` so I believe changing it to use the `escapeEcmaScript` is the correct approach. So +1 and accepted. Thanks – Popeye Mar 19 '15 at 14:21
3

According to the Apache Commons deprecated page, we should be using:

  • Apache Commons Text
will
  • 4,799
  • 8
  • 54
  • 90
0

I was able to fix this by modifying the owasp code by detecting when it is htmlEncoding the base64 data tags, which doesn't seem necessary.

I believe this is secure because this code doesn't do the security checks, but just avoids doing the encodeHTML on data urls. If anybody knows otherwise, I'd like to know. Thanks!

  private static void encodeHtmlOnto(
      String plainText, Appendable output, @Nullable String braceReplacement)
          throws IOException {

    if(plainText!=null && plainText.startsWith("data:image")) {
      //Don't touch the base64 encoded images. This messes up the diffing of things.
      output.append(plainText);
      return;
    }
...

The following patch for the owasp code will get it to leave the img data tags alone.

Index: org/owasp/html/Encoding.java
<+>UTF-8
===================================================================
diff --git a/api/app-ejb/src/main/java/org/owasp/html/Encoding.java b/api/app-ejb/src/main/java/org/owasp/html/Encoding.java
--- a/api/app-ejb/src/main/java/org/owasp/html/Encoding.java    (revision c5c815dda1f5c89d2e515d676b8c143591b68d8c)
+++ b/api/app-ejb/src/main/java/org/owasp/html/Encoding.java    (date 1649080667669)
@@ -166,6 +166,7 @@
   static void encodeHtmlAttribOnto(String plainText, Appendable output)
       throws IOException {
     encodeHtmlOnto(plainText, output, "{\u200B");
+    output.append(plainText);
   }
 
   /**
@@ -234,6 +235,13 @@
   private static void encodeHtmlOnto(
       String plainText, Appendable output, @Nullable String braceReplacement)
           throws IOException {
+
+    if(plainText!=null && plainText.startsWith("data:image")) {
+      //Don't touch the base64 encoded images. This messes up the diffing of things.
+      output.append(plainText);
+      return;
+    }
+
     int n = plainText.length();
     int pos = 0;
     for (int i = 0; i < n; ++i) {
box110a
  • 23
  • 4