'Alternative to using StringEscapeUtils.escapeJavaScript() in commons lang3

I've been tasked with updating our code from using org.apache.commons.lang to org.apache.commons.lang3 and I've found that the newer version of StringEscapeUtils no longer has the method escapeJavaScript() however we were using this in quite a few places throughout our code.

I've been reading through the documentation and it seems that the whole of StringEscapeUtils was rewritten for lang3 (see release notes lang 3.3.2) and with this rewrite they removed escapeJavaScript() however they haven't said what to use as an alternative in any of their documentation (Not that I can see anyway). Here's the what's new documentation.

So my question is I can't be the only one to have noticed this and experienced this issue so what is the alternative to using StringEscapeUtils.escapeJavaScript()?

javaapache-commons-langapache-commons-lang3


Solution 1:[1]

Either of escapeEcmaScript or escapeJson would be a suitable replacement.

Solution 2:[2]

According to the Apache Commons deprecated page, we should be using:

  • Apache Commons Text

Solution 3:[3]

I was able to fix this by modifying the owasp code by detecting when it is htmlEncoding the base64 data tags, which doesn't seem necessary.

I believe this is secure because this code doesn't do the security checks, but just avoids doing the encodeHTML on data urls. If anybody knows otherwise, I'd like to know. Thanks!

  private static void encodeHtmlOnto(
      String plainText, Appendable output, @Nullable String braceReplacement)
          throws IOException {

    if(plainText!=null && plainText.startsWith("data:image")) {
      //Don't touch the base64 encoded images. This messes up the diffing of things.
      output.append(plainText);
      return;
    }
...

The following patch for the owasp code will get it to leave the img data tags alone.

Index: org/owasp/html/Encoding.java
<+>UTF-8
===================================================================
diff --git a/api/app-ejb/src/main/java/org/owasp/html/Encoding.java b/api/app-ejb/src/main/java/org/owasp/html/Encoding.java
--- a/api/app-ejb/src/main/java/org/owasp/html/Encoding.java    (revision c5c815dda1f5c89d2e515d676b8c143591b68d8c)
+++ b/api/app-ejb/src/main/java/org/owasp/html/Encoding.java    (date 1649080667669)
@@ -166,6 +166,7 @@
   static void encodeHtmlAttribOnto(String plainText, Appendable output)
       throws IOException {
     encodeHtmlOnto(plainText, output, "{\u200B");
+    output.append(plainText);
   }
 
   /**
@@ -234,6 +235,13 @@
   private static void encodeHtmlOnto(
       String plainText, Appendable output, @Nullable String braceReplacement)
           throws IOException {
+
+    if(plainText!=null && plainText.startsWith("data:image")) {
+      //Don't touch the base64 encoded images. This messes up the diffing of things.
+      output.append(plainText);
+      return;
+    }
+
     int n = plainText.length();
     int pos = 0;
     for (int i = 0; i < n; ++i) {

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ian Roberts
Solution 2 will
Solution 3 box110a

Related Questions