ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5131/java/how-to-fix-it/servlet.adoc

83 lines
2.4 KiB
Plaintext
Raw Normal View History

SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
=== How to fix it in a Servlet
The following code is vulnerable to cross-site scripting because it returns an HTML response that contains user input.
Third-party data, such as user input, is not to be trusted.
If embedded in HTML code, it should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries.
Education text Fix (#1338)
2022-10-18 16:03:10 +02:00
==== Noncompliant code example
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
[source,java,diff-id=1,diff-type=noncompliant]
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
writer.print(data);
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
}
----
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
----
import org.owasp.encoder.Encode;
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(Encode.forHtml(data));
}
----
If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response with the content-type header.
For example, setting the content-type to `text/plain` with the `setContentType` function allows to safely reflect user input because browsers will not try to parse and execute the response.
Education text Fix (#1338)
2022-10-18 16:03:10 +02:00
==== Noncompliant code example
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
[source,java,diff-id=2,diff-type=noncompliant]
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
writer.print(data);
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
}
----
Modify All Current Education Rules: Support intuitive view (#1256)
2022-09-15 10:28:08 +02:00
==== Compliant solution
[source,java,diff-id=2,diff-type=compliant]
SONARSEC-3109 S5131 XSS rule should contain context-specific patches
2022-07-04 10:29:30 +02:00
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
response.setContentType("text/plain");
writer.print(data);
}
----
=== How does this work?
include::../../common/fix/data_encoding.adoc[]
`org.owasp.encoder.Encode.forHtml` is the recommended method to encode HTML entities.
=== Pitfalls
include::../../common/pitfalls/content-types.adoc[]
include::../../common/pitfalls/validation.adoc[]
Modify S5131(Multiple Languages): Add CSPs to 'Going The Extra Mile' (#1239)
2022-09-13 16:28:34 +02:00
=== Going the extra mile
include::../../common/extra-mile/csp.adoc[]
Reference in New Issue Copy Permalink