=== on 5 Feb 2015, 20:08:00 Ann Campbell wrote:
In the WebGoat project, one of the exercises is to inject a script into a value that's then stored in the database, and the point of the lesson is to escape outgoing values.


Also: \https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content


This rule may need a sort of whitelist parameter: i.e. ignore values that have been passed through x method.

=== on 5 Feb 2015, 20:22:09 Ann Campbell wrote:
We may also need to narrow the scope of this some. Perhaps to values retrieved from external sources, e.g. file, database, etc...?

=== on 20 Jul 2015, 07:40:30 Ann Campbell wrote:
Tagged java-top by Ann

=== on 21 Sep 2015, 09:57:21 Ann Campbell wrote:
\[~michael.gumowski] I've updated this rule mostly as discussed, but added another source of data to check: parameters

=== on 23 Sep 2019, 17:43:18 Alexandre Gigleux wrote:
This rule is corresponding to Stored XSS. I'm closing it for now as it will be covered by a more generic RSPEC similarly to what we did for Reflected XSS (RSPEC-5131).