Prevent XSS attacks

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: java-security/xss-protection

Language: Java

Severity: Warning

Category: Security

CWE: 79

Description

This rule is designed to prevent Cross-Site Scripting (XSS) attacks, which occur when untrusted data is included in a web page without proper validation or escaping, allowing an attacker to inject malicious scripts and perform actions on behalf of the user. It’s important because XSS attacks can lead to a variety of security breaches, including session hijacking, identity theft, and defacement of websites.

In Java, particularly in web applications, developers should always validate and sanitize user input before using it in HTML or JavaScript code. This involves ensuring that the input conforms to expected formats and does not contain potentially harmful characters or scripts.

To avoid violations of this rule, use context-specific output encoding whenever outputting user-controlled data. Libraries such as the OWASP Java Encoder can be used to safely encode user data for different HTML and JavaScript contexts. Also, consider using modern web development frameworks that automatically escape user-controlled data, such as Thymeleaf for Java.

In addition, setting the HTTP response header X-XSS-Protection to 0 can disable the browser’s built-in XSS protection, leaving the user more vulnerable to XSS attacks. Do not set this header to 0 unless you have a specific reason to do so and understand the security implications.

Non-Compliant Code Examples

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class NonCompliant {
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
        String param = "<default>";
        java.util.Enumeration<String> headers = request.getHeaders("X-Some-Header");

        if (headers != null && headers.hasMoreElements()) {
            param = headers.nextElement();
        }

        param = java.net.URLDecoder.decode(param, "UTF-8");

        response.setHeader("X-XSS-Protection", "0");
        response.getWriter().printf("Hello, %s!", param);
    }
}

Compliant Code Examples

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Compliant {
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
        // Safe: output is not from user input
        response.getWriter().println("Hello, World!");
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security