Module XSS
Provides classes to reason about Cross-site scripting (XSS) vulnerabilities.
Import path
import semmle.code.java.security.XSS
Imports
DataFlow | Provides classes for performing local (intra-procedural) and global (inter-procedural) data flow analyses. |
JSFRenderer | Provides classes and predicates for working with JavaServer Faces renderer. |
Servlets | Provides classes and predicates for working with the Java Servlet API. |
SpringController | |
SpringHttp | Provides classes for working with Spring classes and interfaces from |
TaintTracking | Provides classes for performing local (intra-procedural) and global (inter-procedural) taint-tracking analyses. |
WebView | |
java | Provides all default Java QL imports. |
Predicates
isXssSafeContentType | Holds if |
isXssVulnerableContentType | Holds if |
Classes
XssAdditionalTaintStep | A unit class for adding additional taint steps. |
XssSanitizer | A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. |
XssSink | A sink that represent a method that outputs data without applying contextual output encoding. |
XssSinkBarrier | A sink that represent a method that outputs data without applying contextual output encoding, and which should truncate flow paths such that downstream sinks are not flagged as well. |
XssVulnerableWriterSource | An output stream or writer that writes to a servlet, JSP or JSF response. |
XssVulnerableWriterSourceNode | A xss vulnerable writer source node. |