Possible cross site scripting threat detected.
- Rule ID: java_lang_xss_response_writer
- Languages: java
- Source: xss_response_writer.yml
Description
Make sure to encode and sanitize any user input before passing it down to response.getWriter()
to avoid cross-site scripting (XSS) attacks.
✅ Use an encoder to minimize XSS risk
String userInput = req.getQueryString("user");
String encodedUserInput = Encode.forHtml(userInput)
response.getWriter().write(encodedUserInput)
✅ Even better, sanitize user input
String userInput = req.getQueryString("user");
String sanitizedUserInput = sanitize(userInput);
response.getWriter().write(sanitizedUserInput);
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_xss_response_writer
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_xss_response_writer
Ready to take the next step? Learn more about Bearer Cloud.