46 lines
1.1 KiB
Plaintext
46 lines
1.1 KiB
Plaintext
|
=== How to fix it in Thymeleaf
|
||
|
|
|
||
|
|
The following code is vulnerable to cross-site scripting.
|
||
|
|
|
||
|
|
User input embedded in HTML code should be HTML-encoded to prevent the injection of additional code.
|
||
|
|
|
||
|
|
[source,html]
|
||
|
|
----
|
||
|
|
<body>
|
||
|
|
<p th:utext="|Hello, ${input}!|" /> <!-- Noncompliant -->
|
||
|
|
<p>Hello, [(${input})]!</p> <!-- Noncompliant -->
|
||
|
|
</body>
|
||
|
|
----
|
||
|
|
|
||
|
|
[source,html]
|
||
|
|
----
|
||
|
|
<body>
|
||
|
|
<p th:text="|Hello, ${input}!|" />
|
||
|
|
<p>Hello, [[${input}]]!</p>
|
||
|
|
</body>
|
||
|
|
----
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
include::../../common/fix/data_encoding.adoc[]
|
||
|
|
|
||
|
|
For HTML encoding, Javascript encoding, and CSS encoding, the documentation
|
||
|
|
allows the use of `unescaped text`, in only two different ways:
|
||
|
|
|
||
|
|
* with the attribute `th:utext`.
|
||
|
|
* with the inline expression `[(...)]`.
|
||
|
|
|
||
|
|
If you insert third party data into the pages, the regular attributes are
|
||
|
|
preferable:
|
||
|
|
|
||
|
|
* with the attribute `th:text`.
|
||
|
|
* The inline expression `[[...]]`.
|
||
|
|
|
||
|
|
They ensure that the correct encoding is used, regardless of the context in
|
||
|
|
which the user-controlled data is inserted. Thus, it is not necessary to specify a
|
||
|
|
particular encoder.
|
||
|
|
|
||
|
|
=== Pitfalls
|
||
|
|
|
||
|
|
include::../../common/pitfalls/validation.adoc[]
|