minusworld.java-httpservlet-jsp-xss

Community Favorite

r2c

Author

953

Download Count*

LGPL Commons Clause

License

Secure XSS defaults for HttpServlets+JSP.

Run Locally

Rules (4)

java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled

semgrep

regex

Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.

java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets

semgrep

regex

JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.

java.lang.security.audit.xss.jsp.use-escapexml.use-escapexml

semgrep

regex

Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.

java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer

semgrep

java

Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.