16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
28 lines
1.4 KiB
Plaintext
28 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any previously-stored content sent to the user so that any malicious code that may have escaped your input screening is neutralized.
|
|
|
|
|
|
This rule checks values retrieved from a database or a parameter and passed to ``++HttpServletRequest.setAttribute()++``, ``++HttpSession.setAttribute()++``, ``++HttpServletResponse.sendError++``, and to the ``++write++`` method of the ``++PrintWriter++`` returned from ``++HttpResponse.getWriter()++``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,text]
|
|
----
|
|
public String getTaintedValue(Connection con, HttpServletRequest request) throws SQLException {
|
|
|
|
PreparedStatement pstmt = null;
|
|
String query = "select TAINTED_VALUE " +
|
|
"from TAINTED_VALUES where KEY=?"
|
|
try {
|
|
pstmt = con.prepareStatement(query);
|
|
pstmt.setString(1, request.getParameter("key")); // PreparedStatements escape their inputs, so this incoming value is okay
|
|
ResultSet rs = pstmt.executeQuery();
|
|
while (rs.next()) {
|
|
request.setAttribute("taintedValue",rs.getString("TAINTED_VALUE")); // Noncompliant; this value should be escaped before being sent back to the user.
|
|
----
|
|
|
|
|
|
include::see.adoc[]
|