java.lang.security.audit.xss.jsp.use-escapexml.use-escapexml

profile photo of semgrepsemgrep
Author
6,309
Download Count*
LGPL Commons Clause
License

Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-escapexml
    message: Detected an Expression Language segment that does not escape output.
      This is dangerous because if any data in this expression can be controlled
      externally, it is a cross-site scripting vulnerability. Instead, use the
      'escapeXml' function from the JSTL taglib. See
      https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more
      information.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      references:
        - https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm
        - https://stackoverflow.com/a/4948856
        - https://stackoverflow.com/a/3180202
      category: security
      technology:
        - jsp
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Encoding
    pattern-regex: \$\{(?!.*escapeXml).*\}
    paths:
      include:
        - "*.jsp"
    languages:
      - regex
    severity: WARNING

Examples

use-escapexml.jsp

<!-- ruleid: use-escapexml -->
<input value="${param.foo}" />
<!-- ok: use-escapexml -->
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

<div>
    <!-- ruleid: use-escapexml -->
    ${param.foo}
</div>