java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled
semgrep
Author
6,309
Download Count*
License
Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.
Run Locally
Run in CI
Defintion
rules:
- id: autoescape-disabled
message: Detected an element with disabled HTML escaping. If external data can
reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no
external data can reach here, or remove 'escape=false' from this element.
metadata:
owasp: A07:2017 - Cross-Site Scripting (XSS)
cwe:
- "CWE-150: Improper Neutralization of Escape, Meta, or Control
Sequences"
references:
- https://stackoverflow.com/a/7442668
category: security
technology:
- jsf
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Validation
pattern-regex: .*escape.*?=.*?false.*
paths:
include:
- "*.html"
- "*.xhtml"
languages:
- regex
severity: WARNING
Examples
autoescape-disabled.xhtml
<!-- ok: autoescape-disabled -->
<h:outputText value="#{someManagedBean.someValue}" />
<!-- ruleid: autoescape-disabled -->
<h:outputText value="#{someManagedBean.someValue}" escape="false" />
Short Link: https://sg.run/qxne