Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vf] Html encoding of controller fields is insufficient to prevent XSS #2772

Open
rmohan20 opened this issue Sep 10, 2020 · 1 comment
Open

[vf] Html encoding of controller fields is insufficient to prevent XSS #2772

rmohan20 opened this issue Sep 10, 2020 · 1 comment
Labels
a:false-negative PMD doesn't flag a problematic piece of code

Comments

@rmohan20
Copy link
Contributor

rmohan20 commented Sep 10, 2020
edited by jsotuyod

Affects PMD Version:
6.27.0+
7.0.0

Rule:
VfUnescapeElRule

Description:

Html encoding inside javascript event handler methods does not prevent XSS. This stackoverflow answer explains the situation well.
To avoid giving a false sense of safety, VfUnescapeElRule should throw a rule violation when it detects a javascript event handler applying html encoding on a controller value.

Code Sample demonstrating the issue:

<img src="{!Name}" onerror="console.log('couldn't load {!HTMLENCODE(Name)}')"/>

Expected outcome:
Rule violation. Current behavior is a false-negative.

Running PMD through: CLI
@rmohan20 rmohan20 added the a:bug PMD crashes or fails to analyse a file. label Sep 10, 2020
@adangel adangel added a:false-negative PMD doesn't flag a problematic piece of code and removed a:bug PMD crashes or fails to analyse a file. labels Sep 11, 2020
@adangel
Copy link
Member

adangel commented Sep 11, 2020

See also https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_scontrols.htm

@jsotuyod jsotuyod added the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Mar 17, 2024
@jsotuyod jsotuyod removed the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:false-negative PMD doesn't flag a problematic piece of code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsotuyod @adangel @rmohan20