Spring content types: recognise constant content-type strings

2026-04-28 02:05:14 +02:00 · 2021-06-22 19:26:16 +01:00
parent 4397371a50
commit 701d0bcdca
3 changed files with 24 additions and 5 deletions
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -60,7 +60,7 @@ public class SpringXSS {

  @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $MISSING: xss
+    return ResponseEntity.ok(userControlled); // $xss
  }

  @GetMapping(value = "/xyz", produces = "text/html")