Cross-site Scripting (XSS) Vulnerability
Description
A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. This occurs when user input is not properly sanitized before being output to the browser, allowing an attacker to inject malicious scripts.
Examples
Insecure Code
scala
def example(req: HttpServletRequest, res: HttpServletResponse): Unit = {
val writer = res.getWriter
writer.write(req.getParameter("userInput"))
}Secure Code
scala
def example(req: HttpServletRequest, res: HttpServletResponse): Unit = {
val writer = res.getWriter
writer.write(org.owasp.encoder.Encode.forHtml(req.getParameter("userInput")))
}Remediation
Properly encode user input using org.owasp.encoder.Encode.forHtml() before writing it to the HTTP response.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0087 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cross-site Scripting |
| OWASP | N/A |