...
This noncompliant code example incorporates untrusted user input in a JavaScript statement that is responsible for printing the input.
| Code Block | ||
|---|---|---|
| ||
// Windows-based target's file path is being used
String firstName = "dummy\'); var bw = new JavaImporter(java.io.BufferedWriter);
var fw = new JavaImporter(java.io.FileWriter);
with(fw) with(bw) {
bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\"));
bwr.write(\"some text\"); bwr.close(); } // ";
evalScript(firstName);
private static void evalScript(String firstName) throws ScriptException {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("javascript");
engine.eval("print('"+ firstName + "')");
}
|
...