Cross-Site Scripting (XSS) via Improper Input Neutralization

Description

Disabling HTML escaping puts the application at risk for Cross-Site Scripting (XSS). This occurs when user input is not properly sanitized before being included in the HTML output, allowing an attacker to inject malicious scripts.

Examples

Insecure Code

scala

def index(request: Request) = Action { Ok("<h1>" + request.body) }

Secure Code

scala

def index(request: Request) = Action { Ok(org.owasp.encoder.Encode.forHtml(request.body)) }

Remediation

Use a library like OWASP ESAPI to encode user input for HTML output, such as org.owasp.encoder.Encode.forHtml(...)

Rule Details

Field	Value
ID	CODE-0083
Category	Web
Severity	HIGH
CWE	CWE-79
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	xss, scala, play framework
OWASP	N/A

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via Improper Input Neutralization

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via Improper Input Neutralization ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Cross-Site Scripting (XSS) via Improper Input Neutralization

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details