CodeQL library for Java
codeql/java-all 0.3.3 (changelog, source)
Search

Module XSS

Provides classes to reason about Cross-site scripting (XSS) vulnerabilities.

Import path

import semmle.code.java.security.XSS

Imports

DataFlow

Provides classes for performing local (intra-procedural) and global (inter-procedural) data flow analyses.

JSFRenderer

Provides classes and predicates for working with JavaServer Faces renderer.

Servlets

Provides classes and predicates for working with the Java Servlet API.

SpringController
SpringHttp

Provides classes for working with Spring classes and interfaces from org.springframework.http.

TaintTracking2
WebView
java

Provides all default Java QL imports.

Predicates

isXssSafeContentType

Holds if s is an HTTP Content-Type that is not vulnerable to XSS.

isXssVulnerableContentType

Holds if s is an HTTP Content-Type vulnerable to XSS.

Classes

XssAdditionalTaintStep

A unit class for adding additional taint steps.

XssSanitizer

A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack.

XssSink

A sink that represent a method that outputs data without applying contextual output encoding.

XssSinkBarrier

A sink that represent a method that outputs data without applying contextual output encoding, and which should truncate flow paths such that downstream sinks are not flagged as well.

XssVulnerableWriterSource

An output stream or writer that writes to a servlet, JSP or JSF response.

Aliases

ServletWriterSource

DEPRECATED: Use XssVulnerableWriterSource instead.