SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 93

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 94

changes.mady.by.user Derek Leung

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add base64 encoding example. Can't find how to change fonts?

...

Output encoding and escaping is mandatory when accepting dangerous characters such as double quotes and angle braces. Even when input is whitelisted to disallow such characters, output escaping is recommended because it provides a second level of defense. Note that the exact escape sequence can vary depending on where the output is embedded. For example, untrusted output may occur in an HTML value attribute, CSS, URL, or script; output encoding routine will be different in each case. It is also impossible to securely use untrusted data in some contexts. Consult the OWASP XSS (Cross-Site Scripting) Prevention Cheat Sheet for more information on preventing XSS attacks.

Noncompliant Code Example

This noncompliant code example takes a user input query string and build a URL. Because the URL is not properly encoded, the URL returned is not valid because it contains non-URL-safe characters RFC 1738

Code Block
languagejava
String buildUrl(String q) {
  //user inputs the argument "#YOLO2018"
  String url = "https://example.com?query=" + q;
 
  return url;
}

The url returned is "https://example.com?query=#YOLO2018" which is not a valid URL.

Compliant Solution

Code Block
languagejava
String buildEncodedUrl(String q) {
    String origUrl = "https://example.com?query=" + q;
    String encodedUrl = Base64.getUrlEncoder().encodeToString(origUrl.getBytes());
 
    return encodedUrl;
}

The encodedUrl returned is "https%3A%2F%2Fexample.com%3Fquery%3D%23YOLO2018" which is a valid URL. Use java.util.Base64 to encode and decode when transferring binary data over mediums that only allow printable characters like URLs, filenames, and MIME.

Applicability

Failure to encode or escape output before it is displayed or passed across a trust boundary can result in the execution of arbitrary code.

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)

Related Vulnerabilities

The Apache GERONIMO-1474 vulnerability, reported in January 2006, allowed attackers to submit URLs containing JavaScript. The Web Access Log Viewer failed to sanitize the data it forwarded to the administrator console, thereby enabling a classic XSS attack.

Bibliography

[OWASP 2011]Cross-site Scripting (XSS)
[OWASP 2014]How to Add Validation Logic to HttpServletRequest
XSS (Cross-Site Scripting) Prevention Cheat Sheet

...


...