The Grammar Section in Annex A at the end of the document also is a good spot to read up on the syntax rules. To summarize, a String Literal can be anything between a single-quote (
') or double-quote (
") character except that quote character and Line Terminators. Drilling into the spec more, there's no obvious reason why the forward slash is escaped.
Now you could be saying to yourself, it's to escape someone from inserting a comment. Since the escaper escapes the quote characters, and a String Literal can contain a forward slash, there's no obvious way this would end the quoted context and start a new single-line comment context. So that's probably not it. And looking into the escapers, they're not trying to do anything with regular expressions, so that doesn't seem to be it.
Spring isn't alone here. The Apache Commons StringEscapeUtils.escapeEcmaScript() escaper also escapes the forward slash. Huh. So something is going on here. Now I don't know exactly why they do the things they do, but I can speculate .
<script> tags. While it could occur within an HTML attribute context, let's go with the
</script>, the new escaped text should be
<\/script>. An HTML 5 tokenizer like your browser ought to change back to the script data state. This prevents an attacker from injecting a
Let's say the JSP wasn't using an escaper. Here's a snippet from somefile.jsp:
Then if the following vector was passed to the application:
The JSP ought to return the following HTML:
Now, let's say it was. Here's somefile.jsp updated:
Using the same vector, the JSP ought to return the following HTML:
This ought to be parsed as a normal double-quoted string by the browser. No XSS here.
In case you're wondering, the CSL conservatively escapes characters that could cause context transitions like these. If any are not obvious, please let us know on the GitHub page.