"Potential XSS in JSP" security rule doesn't take escaping into account

SonarQube Version

doesn’t seam to take into account the fn:escapeXml() function for evaluating the “Potential XSS in JSP” rule :

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<c:set var="str" value="This <em>is a String</em>"/>
Test&nbsp;: <b>${ fn:escapeXml(str) }</b>

triggers the Security rules, whereas fn:escapeXml() prevents all XSS

And I have a HUGE codebase using fn:escapeXml()

Hi Thomas and welcome to the community!

You are right that this should be a sanitizer for XSS (and XML injection). I will create a ticket for this, thanks for the report!

Just a small note: it prevents a majority of XSS but not necessarily all. It depends on the HTML context where the user input ends up in. For example, this is not great:

<script>${ fn:escapeXml(str) }</script>
1 Like

well indeed. But with

<script>${ fn:escapeXml(str) }</script>

you just cannot prevent XSS :smiley:
I meant outside a <script> element, you cannot generate a <script> element if you use ${ fn:escapeXml(str) }

In my opinion, putting user input into a script tag is always a bad idea. But I have seen it often in the following form:

var foo = '{{ str }}';

Some systems provide encoders to turn every character into hex which could make this secure. A much more elegant solution is to put it in a data attribute and then use JavaScript to read it out though. This way the normal HTML encoding can be used.

@Hendrik_Buchwald any news about the ticket you have created on this issue ?

Hi Thomas,

So far it was not implemented. I have pinged the team, they said they want to try to solve it in March.