Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

scala.xss.scala_xss_rule_wicketxss

Severity

low

Resource

Xss

Language

Scala

Description

Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS).

Rationale

Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS).

The following code illustrates a vulnerable pattern detected by this rule:

def XssWicketExamplePage(pageParameters: PageParameters): Unit = {
  // VULNERABLE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  add(new Label("test").setEscapeModelStrings(false))
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-79
OWASP Top 10 2021 - A03 : Injection.