(JAVA-A1035) Audit: Including request data within HTML response strings may lead to XSS attacks

[4k4xs4pH1r3]

Description

Avoid directly including request data within HTML, as this may lead to a cross-site-scripting vulnerability.

Occurrences

There is 1 occurrence of this issue in the repository.

See all occurrences on DeepSource → app.deepsource.com/gh/4k4xs4pH1r3/artemisa/issue/JAVA-A1035/occurrences/

[secure-code-warrior-for-github[bot]]

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "cross-site-scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.