hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
remove-javascript
codeql/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
Chris Smowton b3c186c513 Convert XSS test to inline expectations
2021-06-28 19:24:18 +01:00

65 lines
2.1 KiB
Java
Raw Permalink Blame History

// Test case for
// CWE-079: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
// http://cwe.mitre.org/data/definitions/79.html
package test.cwe079.cwe.examples;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class XSS extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// BAD: a request parameter is written directly to the Servlet response stream
response.getWriter().print(
"The page \"" + request.getParameter("page") + "\" was not found."); // $xss
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") + "\" was not found.");
// GOOD: escape HTML characters first
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + encodeForHtml(request.getParameter("page")) + "\" was not found.");
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
// BAD: outputting the path of the resource
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $xss
// BAD: typical XSS, this time written to an OutputStream instead of a Writer
response.getOutputStream().write(request.getPathInfo().getBytes()); // $xss
}
/**
* Replace special characters in the given text such that it can
* be inserted into an HTML file and not be interpreted as including
* any HTML tags.
*/
static String encodeForHtml(String text) {
// This is just a stub. For an example of a real implementation, see
// the OWASP Java Encoder Project.
return text.replace("<", "&lt;");
}
static String capitalizeName(String text) {
return text.replace("foo inc", "Foo, Inc.");
}
}
Reference in New Issue View Git Blame Copy Permalink