Cross-Site Scripting (XSS) via Disabling HTML Escaping
Description
Disabling HTML escaping puts the application at risk for Cross-Site Scripting (XSS). This occurs when user input is not properly neutralized during web page generation, allowing an attacker to inject malicious scripts.
Examples
Insecure Code
scala
val label = new Label("userInput"); label.setEscapeModelStrings(false);Secure Code
scala
val label = new Label("userInput"); label.setEscapeModelStrings(true);Remediation
Enable HTML escaping to prevent XSS attacks. Ensure that all user input is properly sanitized and validated before being rendered in a web page.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0085 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, HTML Escaping |
| OWASP | N/A |