You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Html encoding inside javascript event handler methods does not prevent XSS. This stackoverflow answer explains the situation well.
To avoid giving a false sense of safety, VfUnescapeElRule should throw a rule violation when it detects a javascript event handler applying html encoding on a controller value.
Affects PMD Version:
6.27.0+
7.0.0
Rule:
VfUnescapeElRule
Description:
Html encoding inside javascript event handler methods does not prevent XSS. This stackoverflow answer explains the situation well.
To avoid giving a false sense of safety, VfUnescapeElRule should throw a rule violation when it detects a javascript event handler applying html encoding on a controller value.
Code Sample demonstrating the issue:
Expected outcome:
Rule violation. Current behavior is a false-negative.
Running PMD through: CLI
The text was updated successfully, but these errors were encountered: