Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The application is disabling Wicket's string escaping functionality by calling `setEscapeModelStrings(false)`. This could lead to Cross Site Scripting (XSS) if used with user-supplied input. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in.

Examples

Insecure Code

java

import org.apache.wicket.Component;
...
Component component = new Component();
component.setEscapeModelStrings(false);

Secure Code

java

import org.apache.wicket.Component;
...
Component component = new Component();
component.setEscapeModelStrings(true);

Remediation

Use Wicket's built-in escaping feature by calling `Component.setEscapeModelStrings(true);`

Rule Details

Field	Value
ID	CODE-0733
Category	Web
Severity	MEDIUM
CWE	CWE-79
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XSS, Cross-site Scripting
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details