Cross-Site Scripting (XSS) via Improper Input Neutralization
Description
The application is returning user-supplied data from an HTTP request directly into an HTTP response output writer, which could lead to Cross Site Scripting (XSS) if the input were malicious script code and the application server is not properly validating the output.
Examples
Insecure Code
java
response.getWriter().write(request.getParameter("userInput"));Secure Code
java
String htmlInput = request.getParameter("userInput");
String htmlEncoded = StringEscapeUtils.escapeHtml4(htmlInput);
response.setContentType("text/plain");
response.setCharacterEncoding("UTF-8");
response.getWriter().write(htmlEncoded);Remediation
Encode user input using a library like Apache Commons Text `StringEscapeUtils` methods, depending on the output context, and set the `Content-Type` to `text/plain` to prevent HTML interpretation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0734 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cross-Site Scripting, Input Validation |
| OWASP | A1:2017-Injection, A03:2021-Injection |