File tree Expand file tree Collapse file tree 2 files changed +2
-6
lines changed
java/ql/test/query-tests/security/CWE-079/semmle/tests Expand file tree Collapse file tree 2 files changed +2
-6
lines changed Original file line number Diff line number Diff line change 11edges
22| XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
3- | XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... |
43| XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
54| XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
65nodes
76| XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
87| XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
9- | XSS.java:27:5:27:70 | ... + ... | semmle.label | ... + ... |
10- | XSS.java:27:21:27:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
118| XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
129| XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
1310| XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
1411| XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
1512#select
1613| XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
17- | XSS.java:27:5:27:70 | ... + ... | XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value |
1814| XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
1915| XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |
Original file line number Diff line number Diff line change @@ -22,15 +22,15 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
2222 response .getWriter ().print (
2323 "The page \" " + request .getParameter ("page" ) + "\" was not found." );
2424
25- // BAD: a request parameter is written directly to an error response page
25+ // GOOD: servlet API encodes the error message HTML for the HTML context
2626 response .sendError (HttpServletResponse .SC_NOT_FOUND ,
2727 "The page \" " + request .getParameter ("page" ) + "\" was not found." );
2828
2929 // GOOD: escape HTML characters first
3030 response .sendError (HttpServletResponse .SC_NOT_FOUND ,
3131 "The page \" " + encodeForHtml (request .getParameter ("page" )) + "\" was not found." );
3232
33- // FALSE NEGATIVE: passed through function that is not a secure check
33+ // GOOD: servlet API encodes the error message HTML for the HTML context
3434 response .sendError (HttpServletResponse .SC_NOT_FOUND ,
3535 "The page \" " + capitalizeName (request .getParameter ("page" )) + "\" was not found." );
3636
You can’t perform that action at this time.
0 commit comments