Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @GetMapping("/greet") | ||
| public String greet(@RequestParam String greeting) { | ||
| return String.format("%s, my name is %s", greeting, properties.name()); | ||
| return "%s, my name is %s".formatted(greeting, properties.name()); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To prevent XSS, all user input included in a response that could ever be interpreted as HTML should be properly escaped or encoded. In this context, even though the method returns a string, and not a rendered HTML template, best practice is to encode/escape the greeting parameter before returning it. The safest and most standard way in Java is to use the StringEscapeUtils.escapeHtml4 utility from Apache Commons Text, which encodes special characters so that any HTML/JavaScript code passed via the user input will not be executed when rendered in a browser.
To implement this fix:
- Import
org.apache.commons.text.StringEscapeUtilsat the top. - Escape the
greetingparameter usingStringEscapeUtils.escapeHtml4(greeting)before interpolating/injecting it into the returned string. - No change is needed for
properties.name()as it's presumably static-safe configuration, but if user-controlled, it should likewise be escaped.
Change placement:
- File:
cloud-jdbc-env-repo/src/main/java/zin/rashidi/boot/cloud/jdbcenvrepo/greet/GreetResource.java - Lines: Add an import for
StringEscapeUtilsand update the response construction in thegreetmethod.
| @@ -3,6 +3,7 @@ | ||
| import org.springframework.web.bind.annotation.GetMapping; | ||
| import org.springframework.web.bind.annotation.RequestParam; | ||
| import org.springframework.web.bind.annotation.RestController; | ||
| import org.apache.commons.text.StringEscapeUtils; | ||
|
|
||
| /** | ||
| * @author Rashidi Zin | ||
| @@ -18,7 +19,8 @@ | ||
|
|
||
| @GetMapping("/greet") | ||
| public String greet(@RequestParam String greeting) { | ||
| return "%s, my name is %s".formatted(greeting, properties.name()); | ||
| String safeGreeting = StringEscapeUtils.escapeHtml4(greeting); | ||
| return "%s, my name is %s".formatted(safeGreeting, properties.name()); | ||
| } | ||
|
|
||
| } |
| @@ -26,7 +26,9 @@ | ||
| } | ||
|
|
||
| dependencies { | ||
| implementation(platform("org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}")) | ||
| implementation(platform("org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion | ||
| implementation("org.apache.commons:commons-text:1.14.0") | ||
| }")) | ||
|
|
||
| implementation("org.springframework.boot:spring-boot-starter-data-jdbc") | ||
| implementation("org.springframework.cloud:spring-cloud-starter-bootstrap") |
| Package | Version | Security advisories |
| org.apache.commons:commons-text (maven) | 1.14.0 | None |
|
2 participants
No description provided.