I have inherited a legacy application and there is a snippet of code given below.
private static void printKeywordCheckboxes(JspWriter out, ArrayList words, int type)
throws IOException {
LogbookKeyword thisWord;
Iterator iterWord = words.iterator();
while (iterWord.hasNext()) {
thisWord = (LogbookKeyword) iterWord.next();
out.println(" <input type=\"checkbox\" name=\"keywordCheckbox" +
type + "\" value=\"" +
thisWord.hashCode() + "\" checked/>" +
thisWord.getWord() + "<br>");
}
}
Veracode is throwing an exception "Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)" at the 'out.println()'.
Can anybody let me know how this issue should be fixed? Any help would be greatly appreciated.
The problem is that 'words' are being passed down to your method, but there is no neutralization of these before they gets used - the words get used 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
When you are generating this HTML, you are going to need to neutralize the user input - make sure it is harmless before turning it into HTML. My Java is a bit rusty but a Google gives us some suggestions:
- Recommended method for escaping HTML in Java
- Java escape HTML
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Also note that there are certain cleansing functions that Veracode recognizes in Java that have been reviewed and OK'd by Veracode's security team. You can find this list in the Veracode Help Center.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)
Description Summary
The software receives input from an upstream component, but it does not sanitize or incorrectly sanitizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Extended Description
This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the failure to convert such special characters to respective context-appropriate entities before displaying them to the user.
public static String encodeHTML(String s)
{
StringBuffer out = new StringBuffer();
for(int i=0; i<s.length(); i++)
{
char c = s.charAt(i);
if(c > 127 || c=='"' || c=='<' || c=='>') {
out.append("&#"+(int)c+";");
}
else {
out.append(c);
}
}
return out.toString();
}
Is there a JDK class to do HTML encoding (but not URL encoding)?