Veracode - Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)
I have inherited a legacy application and there is a snippet of code given below.
private static void printKeywordCheckboxes(JspWriter out, ArrayList words, int type)
throws IOException {
LogbookKeyword thisWord;
Iterator iterWord = words.iterator();
while (iterWord.hasNext()) {
thisWord = (LogbookKeyword) iterWord.next();
out.println(" <input type=\"checkbox\" name=\"keywordCheckbox" +
type + "\" value=\"" +
thisWord.hashCode() + "\" checked/>" +
thisWord.getWord() + "<br>");
}
}
Veracode is throwing an exception "Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)" at the 'out.println()'.
Can anybody let me know how this issue should be fixed? Any help would be greatly appreciated.
Answer
The problem is that 'words' are being passed down to your method, but there is no neutralization of these before they gets used - the words get used 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
When you are generating this HTML, you are going to need to neutralize the user input - make sure it is harmless before turning it into HTML. My Java is a bit rusty but a Google gives us some suggestions:
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet