Spring JavaScriptEscape insufficiently escapes some characters

JavaScriptUtils.javaScriptEscape() currently does not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. ECMAScript 5.1 ECMA 262 defines a line terminator as either U+000A (LF), U+000D (CR), U+2028 (PS), or U+2029 (LS). Line terminators are disallowed in either string context. Their inclusion ought to result in a parse error if inserted without escaping. The javaScriptEscape() method currently escapes U+000A and removes U+000D.

HTML 5's Tokenizer defines different states that can occur within a <script> tag. If the value <!-- is inserted, the tokenizer will be at the Script data escaped dash dash state. From here, one can insert <script> and be at the Script data double escaped state. These states are respected by HTML 5 capable browser. If the state is changed without closing the state, a parse error ought to occur.

The escaper should be updated to Unicode escape PS, LS, <, and > characters. This should prevent parse errors in most applications and potential security side effects in some applications (e.g. disabling of frame breaking JavaScript).

The bug can be seen on Spring's JIRA

Other advisories