Unsanitized user input in output stream (XSS)

Description

Make sure to encode and sanitize any user input before passing it down to response.getWriter() to avoid cross-site scripting (XSS) attacks.

✅ Use an encoder to minimize XSS risk

  String userInput = req.getQueryString("user");
String encodedUserInput = Encode.forHtml(userInput)
response.getWriter().write(encodedUserInput)

✅ Even better, sanitize user input

  String userInput = req.getQueryString("user");
String sanitizedUserInput = sanitize(userInput);
response.getWriter().write(sanitizedUserInput);

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_xss_response_writer

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_xss_response_writer

Ready to take the next step? Learn more about Bearer Cloud.