java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled

profile photo of semgrepsemgrep
Author
6,309
Download Count*
LGPL Commons Clause
License

Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: autoescape-disabled
    message: Detected an element with disabled HTML escaping. If external data can
      reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no
      external data can reach here, or remove 'escape=false' from this element.
    metadata:
      owasp: A07:2017 - Cross-Site Scripting (XSS)
      cwe:
        - "CWE-150: Improper Neutralization of Escape, Meta, or Control
          Sequences"
      references:
        - https://stackoverflow.com/a/7442668
      category: security
      technology:
        - jsf
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    pattern-regex: .*escape.*?=.*?false.*
    paths:
      include:
        - "*.html"
        - "*.xhtml"
    languages:
      - regex
    severity: WARNING

Examples

autoescape-disabled.xhtml

<!-- ok: autoescape-disabled -->
<h:outputText value="#{someManagedBean.someValue}" />
<!-- ruleid: autoescape-disabled -->
<h:outputText value="#{someManagedBean.someValue}" escape="false" />