1- <!DOCTYPE qhelp PUBLIC
2- "-//Semmle//qhelp//EN"
3- "qhelp.dtd">
1+ <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
42<qhelp >
53
64
7- <overview >
8- <p >Directly writing user input (for example, an HTTP request parameter) to a web page,
9- without properly sanitizing the input first, allows for a cross-site scripting vulnerability.</p >
5+ <overview >
6+ <p >Directly writing user input (for example, an HTTP request parameter) to a web page,
7+ without properly sanitizing the input first, allows for a cross-site scripting vulnerability.</p >
108
11- </overview >
12- <recommendation >
9+ </overview >
10+ <recommendation >
1311
14- <p >To guard against cross-site scripting, consider using contextual output encoding/escaping before
15- writing user input to the page, or one of the other solutions that are mentioned in the
16- reference.</p >
12+ <p >To guard against reflected cross-site scripting in your backend java service, consider using
13+ an appropriate HTML escaping library for your framework to sanitize the special HTML
14+ characters.
15+ </p >
1716
18- </recommendation >
19- <example >
17+ <p > For Android applications where an untrusted input is reflected into the WebView component
18+ via risky methods such as <code >evaluateJavascript</code >, <code >loadData</code > or <code >
19+ loadDataWithBaseURL</code > that execute javascript, use the following best practices:</p >
2020
21- <p >The following example shows the <code >page</code > parameter being written directly to the page,
22- leaving the website vulnerable to cross-site scripting.</p >
21+ <ul >
22+ <li >
23+ Use an appropriate HTML escaping library to sanitize special characters in the untrusted
24+ input.
25+ </li >
26+ <li >When applicable, validate that the untrusted input is of a safe type before passing the
27+ data into a risky method.</li >
28+ <li > In scenarios where WebView doesn't require JavaScript, don't call <a
29+ href =" https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)"
30+ setJavaScriptEnabled</a > within <a
31+ href =" https://developer.android.com/reference/android/webkit/WebSettings" a >
32+ (for example, while displaying static HTML content). By default, JavaScript execution is
33+ disabled in WebView. </li >
34+ </ul >
35+ <p ></p >
2336
24- <sample src =" XSS.java"
37+ <p >If the above solutions do not work for your use-case, please consult your security assurance
38+ team.</p >
2539
26- </example >
27- <references >
2840
41+ </recommendation >
42+ <example >
2943
30- <li >
31- OWASP:
32- <a href =" https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
33- (Cross Site Scripting) Prevention Cheat Sheet</a >.
34- </li >
35- <li >
36- Wikipedia: <a href =" http://en.wikipedia.org/wiki/Cross-site_scripting" a >.
37- </li >
44+ <p >The following example shows the <code >page</code > parameter being written directly to the
45+ page, leaving the website vulnerable to cross-site scripting.</p >
3846
47+ <sample src =" XSS.Bad.java"
3948
40- </references >
41- </qhelp >
49+ <p > Use an HTML encoding API such as <code >org.apache.commons.text.StringEscapeUtils.escapeHtml4</code >to
50+ sanitize the untrusted <code >page</code > parameter before inserting it into the HTTP response.</p >
51+
52+ <sample src =" ./XSS.Good.java"
53+ </example >
54+ <references >
55+
56+
57+ <li > OWASP: <a
58+ href =" https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
59+ (Cross Site Scripting) Prevention Cheat Sheet</a >. </li >
60+ <li > Wikipedia: <a href =" http://en.wikipedia.org/wiki/Cross-site_scripting" a >
61+ . </li >
62+ <li > WebView - Native bridges <a
63+ href =" https://developer.android.com/privacy-and-security/risks/insecure-webview-native-bridges"
64+ Risks</a >
65+ </li >
66+
67+
68+ </references >
69+ </qhelp >
0 commit comments