Untrusted data is embedded straight into the output

Asked Jan 03 '23 at 12:19

Active Jan 03 '23 at 12:46

Viewed 5,457 times

I am currently facing Checkmarx scan issue for the below snippet:

The application's getResponse embeds untrusted data in the generated output with setCatList, at line 10 of MyClass.java. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output. This can enable a Reflected Cross-Site Scripting (XSS) attack.

GetCatSP sp = getCatSP(); // GetCatSP extends StoredProcedure
Map<String, Object> output = sp.getMyData(inParams); // This executes super.execute(inParams) and returns it
List<Cat> catList = (List<Cat>) output.get("cat_info");

response.setCatList(catList);

How do I handle this?

edited Jan 03 '23 at 12:46

baruchiro

5,088
5
44
66

asked Jan 03 '23 at 12:19

Anonymous

Is it untrusted (i.e. user-provided) data? Can you sanitize or escape/encode it? What happens with the data? – knittl Jan 03 '23 at 12:28
Checkmarx wants you to sanitize/validate the data before you send it to the client. This can be done with libraries like Antisamy or Jsoup. See here for example: https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer – TomStroemer Jan 03 '23 at 12:36

Untrusted data is embedded straight into the output

0 Answers0