rspec/rules/S2575/description.adoc

In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any previously-stored content sent to the user so that any malicious code that may have escaped your input screening is neutralized.


This rule checks values retrieved from a database or a parameter and passed to ``++HttpServletRequest.setAttribute()++``, ``++HttpSession.setAttribute()++``, ``++HttpServletResponse.sendError++``, and to the ``++write++`` method of the ``++PrintWriter++`` returned from ``++HttpResponse.getWriter()++``.
	`In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any previously-stored content sent to the user so that any malicious code that may have escaped your input screening is neutralized.`


	This rule checks values retrieved from a database or a parameter and passed to ``++HttpServletRequest.setAttribute()++``, ``++HttpSession.setAttribute()++``, ``++HttpServletResponse.sendError++``, and to the ``++write++`` method of the ``++PrintWriter++`` returned from ``++HttpResponse.getWriter()++``.