Cross-site scripting¶
ID: java/xssKind: path-problemSecurity severity: 6.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-079Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.
Recommendation¶
To guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.
Example¶
The following example shows thepage parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.
publicclassXSSextendsHttpServlet{protectedvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// BAD: a request parameter is written directly to the Servlet response streamresponse.getWriter().print("The page \""+request.getParameter("page")+"\" was not found.");}}
References¶
Wikipedia:Cross-site scripting.
Common Weakness Enumeration:CWE-79.