New rule: NoUnsanitizedJSPExpressionRule #9

Merged
merged 4 commits into from Sep 29, 2014

Projects

None yet

4 participants

@marob
Contributor
marob commented Sep 24, 2014

This rule detects unsanitized JSP Expressions that can lead to Cross Site Scripting (XSS) attacks

@buildhive

Andreas Dangel » pmd #173 SUCCESS
This pull request looks good
(what's this?)

@buildhive

Andreas Dangel » pmd #174 SUCCESS
This pull request looks good
(what's this?)

@adangel adangel merged commit 59706b9 into adangel:master Sep 29, 2014
@adangel
Owner
adangel commented Sep 29, 2014

Thanks!

@lysu
lysu commented Apr 1, 2015

hi @adangel ~

we want to use pmd to define some pattern to find some issue in our xml(e.g. spring xml configuration), but we meet some question when xml node has namespace..

 <beans>
   <uc:service interface="x.y.FooService" />
 </beans>

using xpath to define rule

  /beans/uc:service 

but I doesn't work...

And I found some help in http://jaxen.codehaus.org/faq.html , and try to add Ns to xpath...

but It still doesn't work..It seems that AST node not contain any Namespace info .. but jaxen need it..

How can we fix it ??

(sorry...I want to add a issue in this repository but couldn't find any entrance..so comment on this pull request) ^ ^

@adangel
Owner
adangel commented Apr 1, 2015

This issue seems to be related to the discussion here: https://sourceforge.net/p/pmd/discussion/188194/thread/5c699b9d/?limit=25#1e22

This seems to be an open issue - I created one, because I didn't find an existing one: https://sourceforge.net/p/pmd/bugs/1329/

A workaround seems to be to use node():

//node()[@interface = 'x.y.FooService']
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment