VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 10, 2020· Updated Aug 6, 2024

CVE-2013-6430

CVE-2013-6430

Description

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring Framework before 3.2.2 fails to escape line/paragraph separators and angle brackets in javaScriptEscape, enabling XSS attacks.

Vulnerability

Description

The JavaScriptUtils.javaScriptEscape method in Spring MVC (Spring Framework versions before 3.2.2) does not properly escape certain Unicode characters and angle brackets. Specifically, it fails to escape line separator (U+2028) and paragraph separator (U+2029) characters, as well as the left (<) and right (>) angle brackets. This incomplete escaping leaves applications vulnerable to cross-site scripting (XSS) attacks when user-controlled data is embedded into JavaScript strings.

Exploitation

An attacker can exploit this vulnerability by injecting malicious JavaScript code that includes the unescaped characters. For example, the angle brackets < and > can be used to break out of a JavaScript string context and inject arbitrary HTML/script content. The line and paragraph separators can be used to manipulate string boundaries in a way that bypasses typical escaping. The attack requires no authentication and can be delivered via any input that is later rendered by the application in a JavaScript context—such as user profile fields, comments, or URL parameters—where the output is not properly sanitized [1][2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS score indicating medium to high severity depending on application context [2].

Mitigation

The vulnerability is fixed in Spring Framework versions 3.2.2 and later. The fix was implemented in commit 7a7df66 and its follow-up f5c9fe6, which added proper escaping for the angle brackets and Unicode line/paragraph separators [3][4]. Users of Spring Framework should upgrade to version 3.2.2 or later. If upgrading is not immediately possible, input validation and output encoding should be applied manually to affected contexts.

References
  1. Spring Framework's Migration from Jira to GitHub Issues
  2. NVD - CVE-2013-6430
  3. Update JavaScriptUtils · spring-projects/spring-framework@7a7df66
  4. Update JavaScriptUtils · spring-projects/spring-framework@f5c9fe6

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-webMaven
< 3.2.2.RELEASE3.2.2.RELEASE

Affected products

2

Patches

3
7a7df6637478

Update JavaScriptUtils

https://github.com/spring-projects/spring-frameworkRossen StoyanchevFeb 15, 2013via ghsa
commit
2 files changed · +95 7
  • org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java+28 7 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,21 +21,21 @@
  * Escapes based on the JavaScript 1.5 recommendation.
  *
  * <p>Reference:
- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
- * Core JavaScript 1.5 Guide
- * </a>
+ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
+ * JavaScript Guide</a> on Mozilla Developer Network.
  *
  * @author Juergen Hoeller
  * @author Rob Harrop
+ * @author Rossen Stoyanchev
  * @since 1.1.1
  */
 public class JavaScriptUtils {
 
 	/**
-	 * Turn special characters into escaped characters conforming to JavaScript.
-	 * Handles complete character set defined in HTML 4.01 recommendation.
+	 * Turn JavaScript special characters into escaped characters.
+	 *
 	 * @param input the input string
-	 * @return the escaped string
+	 * @return the string with escaped characters
 	 */
 	public static String javaScriptEscape(String input) {
 		if (input == null) {
@@ -73,6 +73,27 @@ else if (c == '\r') {
 			else if (c == '\f') {
 				filtered.append("\\f");
 			}
+			else if (c == '\b') {
+				filtered.append("\\b");
+			}
+			// No '\v' in Java, use octal value for VT ascii char
+			else if (c == '\013') {
+				filtered.append("\\v");
+			}
+			else if (c == '<') {
+				filtered.append("\\u003C");
+			}
+			else if (c == '>') {
+				filtered.append("\\u003E");
+			}
+			// Unicode for PS (line terminator in ECMA-262)
+			else if (c == '\u2028') {
+				filtered.append("\\u2028");
+			}
+			// Unicode for LS (line terminator in ECMA-262)
+			else if (c == '\u2029') {
+				filtered.append("\\u2029");
+			}
 			else {
 				filtered.append(c);
 			}
  • org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java+67 0 added
    @@ -0,0 +1,67 @@
+/*
+ * Copyright 2004-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.util;
+
+import static org.junit.Assert.*;
+
+import java.io.UnsupportedEncodingException;
+
+import org.junit.Test;
+
+/**
+ * Test fixture for {@link JavaScriptUtils}.
+ *
+ * @author Rossen Stoyanchev
+ */
+public class JavaScriptUtilsTests {
+
+	@Test
+	public void escape() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('"');
+		sb.append("'");
+		sb.append("\\");
+		sb.append("/");
+		sb.append("\t");
+		sb.append("\n");
+		sb.append("\r");
+		sb.append("\f");
+		sb.append("\b");
+		sb.append("\013");
+		assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapePsLsLineTerminators() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('\u2028');
+		sb.append('\u2029');
+		String result = JavaScriptUtils.javaScriptEscape(sb.toString());
+
+		assertEquals("\\u2028\\u2029", result);
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
+		assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
+	}
+
+}
f5c9fe69a444

Update JavaScriptUtils

https://github.com/spring-projects/spring-frameworkRossen StoyanchevFeb 15, 2013via ghsa
commit
2 files changed · +81 0
  • spring-web/src/main/java/org/springframework/web/util/JavaScriptUtils.java+14 0 modified
    @@ -80,6 +80,20 @@ else if (c == '\b') {
 			else if (c == '\013') {
 				filtered.append("\\v");
 			}
+			else if (c == '<') {
+				filtered.append("\\u003C");
+			}
+			else if (c == '>') {
+				filtered.append("\\u003E");
+			}
+			// Unicode for PS (line terminator in ECMA-262)
+			else if (c == '\u2028') {
+				filtered.append("\\u2028");
+			}
+			// Unicode for LS (line terminator in ECMA-262)
+			else if (c == '\u2029') {
+				filtered.append("\\u2029");
+			}
 			else {
 				filtered.append(c);
 			}
  • spring-web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java+67 0 added
    @@ -0,0 +1,67 @@
+/*
+ * Copyright 2004-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.util;
+
+import static org.junit.Assert.*;
+
+import java.io.UnsupportedEncodingException;
+
+import org.junit.Test;
+
+/**
+ * Test fixture for {@link JavaScriptUtils}.
+ *
+ * @author Rossen Stoyanchev
+ */
+public class JavaScriptUtilsTests {
+
+	@Test
+	public void escape() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('"');
+		sb.append("'");
+		sb.append("\\");
+		sb.append("/");
+		sb.append("\t");
+		sb.append("\n");
+		sb.append("\r");
+		sb.append("\f");
+		sb.append("\b");
+		sb.append("\013");
+		assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapePsLsLineTerminators() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('\u2028');
+		sb.append('\u2029');
+		String result = JavaScriptUtils.javaScriptEscape(sb.toString());
+
+		assertEquals("\\u2028\\u2029", result);
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
+		assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
+	}
+
+}
9982b4c01a8c

Add BS and VT char escape sequences to JavaScriptUtils

https://github.com/spring-projects/spring-frameworkRossen StoyanchevJan 23, 2013via ghsa
commit
1 file changed · +14 7
  • spring-web/src/main/java/org/springframework/web/util/JavaScriptUtils.java+14 7 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,21 +21,21 @@
  * Escapes based on the JavaScript 1.5 recommendation.
  *
  * <p>Reference:
- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
- * Core JavaScript 1.5 Guide
- * </a>
+ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
+ * JavaScript Guide</a> on Mozilla Developer Network.
  *
  * @author Juergen Hoeller
  * @author Rob Harrop
+ * @author Rossen Stoyanchev
  * @since 1.1.1
  */
 public class JavaScriptUtils {
 
 	/**
-	 * Turn special characters into escaped characters conforming to JavaScript.
-	 * Handles complete character set defined in HTML 4.01 recommendation.
+	 * Turn JavaScript special characters into escaped characters.
+	 *
 	 * @param input the input string
-	 * @return the escaped string
+	 * @return the string with escaped characters
 	 */
 	public static String javaScriptEscape(String input) {
 		if (input == null) {
@@ -73,6 +73,13 @@ else if (c == '\r') {
 			else if (c == '\f') {
 				filtered.append("\\f");
 			}
+			else if (c == '\b') {
+				filtered.append("\\b");
+			}
+			// No '\v' in Java, use octal value for VT ascii char
+			else if (c == '\013') {
+				filtered.append("\\v");
+			}
 			else {
 				filtered.append(c);
 			}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.