• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Cross-site scripting

ID: java/xss
Kind: path-problem
Security severity: 6.1
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-079
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Directly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.

Recommendation

To guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.

Example

The following example shows the page parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.

public class XSS extends HttpServlet {
	protected void doGet(HttpServletRequest request, HttpServletResponse response)
	throws ServletException, IOException {
		// BAD: a request parameter is written directly to the Servlet response stream
		response.getWriter().print(
				"The page \"" + request.getParameter("page") + "\" was not found.");

	}
}

References

• OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet.

• Wikipedia: Cross-site scripting.

• Common Weakness Enumeration: CWE-79.

• © GitHub, Inc.
• Terms
• Privacy