View Javadoc
1   /**
2    * BSD-style license; for more info see http://pmd.sourceforge.net/license.html
3    */
4   package net.sourceforge.pmd.lang.jsp.rule.basic;
5   
6   import net.sourceforge.pmd.lang.jsp.ast.ASTElExpression;
7   import net.sourceforge.pmd.lang.jsp.ast.ASTElement;
8   import net.sourceforge.pmd.lang.jsp.rule.AbstractJspRule;
9   
10  /**
11   * This rule detects unsanitized JSP Expressions (can lead to Cross Site Scripting (XSS) attacks)
12   *
13   * @author maxime_robert
14   */
15  public class NoUnsanitizedJSPExpressionRule extends AbstractJspRule {
16      @Override
17      public Object visit(ASTElExpression node, Object data) {
18          if (elOutsideTaglib(node)) {
19              addViolation(data, node);
20          }
21  
22          return super.visit(node, data);
23      }
24  
25      private boolean elOutsideTaglib(ASTElExpression node) {
26          ASTElement parentASTElement = node.getFirstParentOfType(ASTElement.class);
27  
28          boolean elInTaglib = parentASTElement != null && parentASTElement.getName() != null
29                  && parentASTElement.getName().contains(":");
30  
31          boolean elWithFnEscapeXml = node.getImage() != null && node.getImage().matches("^fn:escapeXml\\(.+\\)$");
32  
33          return !elInTaglib && !elWithFnEscapeXml;
34      }
35  
36  }