Unable to remediate a SQ-Enterprise OWASP XSS vulnerability

Hi -

We just started working to remediate OWASP vulnerabilities as reported by the SQ Enterprise Edition.

We have a prototypical XSS issue that we are unable to resolve per the SQ provided guidance, try as we might. Our code, at this tier, is pretty trivial and very much like the example code provided in the why-is-this-an-issue dialog.

Thoughts on how best to satisfy the XSS OWASP gate?


  • james

Hello @jwtodd-avail and welcome to the community!

I tested the compliant solution suggested in the XSS rule and it’s working fine on my side.

Can you share your code to see what’s is going wrong?


Hi Eric -

Thx fot the follow up. We are new to SQ-Enterprise/OWASP. Looks like it got it working by comparing the user-provided data against a String literally named WHITELIST. As such, we are good at this time.

I did want to use a compiled Pattern, for efficiency reasons, but that check failed although it is functionally equivalent. This project is in Java.

q: should I be able to code an OWASP/XSS compliant check using a comparator other then a String?


  • james

@jwtodd-avail, we support a lot of sanitizers not only String comparisons and we always look for new ones

Can you share a code sample please? this way we will be able to see if the sanitizer you are using could be added in the default configuration of SonarSource products.