Comments (4)
from owasp-java-encoder.
Hello and thanks for your honest answer. I fully understand your point of not adding support for edge cases and keeping it small and simple. I don't know why Google Earth decided to implement it this way...
As I already have a delegator class in place to avoid dependencies to org.owasp.encoder
throughout my code I worked around this issue by just adding this one:
/**
* This is a special case of XML encoding that replaces angle brackets with numeric character entities (< and >) instead of entity references (< and >).
* This prevents Google Earth from rendering inadvertent HTML.
* @see <a href="http://kml4earth.appspot.com/kmlErrata.html?#encoding">KML Reference Errata</a>
* @see <a href="https://github.com/OWASP/owasp-java-encoder/issues/20">OWASP Issue</a>
*/
public static String kmlEncode(String str) {
return org.owasp.encoder.Encode.forXml(str).replace("<", "<").replace(">", ">");
}
I know that strictly replacing all entity references by their numerical representations would be the better but more complex approach. For the moment it solves the problem and I didn't manage to break out and inject HTML. Do you think the workaround sufficiently prevents all cases? Let me see, maybe forking your repo should be preferred in the end...
Bye
from owasp-java-encoder.
from owasp-java-encoder.
I also integrated a specialized KMLEncoder
in https://github.com/cnsgithub/owasp-java-encoder. We can safely close this issue.
from owasp-java-encoder.
Related Issues (20)
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
- Confusing example in Encode.forHtmlAttribute docs HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.