Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

scala.xss.scala_xss_rule_requestwrapper

Severity

low

Resource

Xss

Language

Scala

Description

Avoid using custom XSS filtering. Please use standard sanitization functions.

Rationale

Avoid using custom XSS filtering. Please use standard sanitization functions.

The following code illustrates a vulnerable pattern detected by this rule:

  stripXSS(value)
}

override def getHeader(name: String) = {
  val value = super.getHeader(name)
  stripXSS(value)
}

// VULNERABLE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
private def stripXSS(value: String) = {
  var innerValue = value
  if (innerValue != null) { // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
    // avoid encoded attacks.
    // value = ESAPI.encoder().canonicalize(value);
    // Avoid null characters
    innerValue = innerValue.replaceAll("\u0000", "")
    // Remove all sections that match a pattern
    for (scriptPattern <- RequestWrapper.patterns) {
      innerValue = scriptPattern.matcher(innerValue).replaceAll("")
    }
  }

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-79
OWASP Top 10 2021 - A03 : Injection.