'XML GENERATE' should be used with 'WITH ENCODING'

Rule Definition
COBOL systems usually do not interact directly with users on the Internet, reflected Cross-site scripting (XSS) is unlikely to occur. But COBOL programs generally provide back-end storage management and consequently handle data that is eventually presented to the end-users via the Internet. This data must be vetted before storage. Persistent XSS occurs when data is included in dynamic content that is sent to a system or user without being validated. It is important to protect and validate the data before sending it to the backend for persistent storage. For other systems or applications that implement and queries data from COBOL based database storage, it is necessary to sanitize and encoded before the data is stored and/or displayed to the user.

Remediation
Follow the coded character sets for XML documents (CCSID to be specified WITH ENCODING OPTION) 1208: UTF-8(1) 1047: Latin 1 / Open Systems 1140, 37: USA, Canada, . . . Euro Country Extended Code Page (ECECP), Country Extended Code Page (CECP) 1141, 273: Austria, Germany ECECP, CECP 1142, 277: Denmark, Norway ECECP, CECP 1143, 278: Finland, Sweden ECECP, CECP 1144, 280: Italy ECECP, CECP 1145, 284: Spain, Latin America (Spanish) ECECP, CECP 1146, 285: UK ECECP, CECP 1147, 297: France ECECP, CECP 1148, 500: International ECECP, CECP 1149, 871: Iceland ECECP, CECP

Violation Code Sample

PROGRAM-ID. OUTPUTENC. DATA DIVISION. WORKING-STORAGE SECTION. 01 GREET. 02 NAME PIC X(20). 02 EMP PIC 9(12). 05 GREETMSG PIC X(80) VALUE 'Hello !!'. 01 DOC PIC X(512). 01 DOC-LENGTH PIC 9(05) * NAMESPACE AND PREFIX. 01 NSPACE PIC X(20) VALUE 'http://example'. 01 NPREFIX PIC X(5) VALUE 'pre'. . . . * SQL QUERY RETRIEVE AND VALIDATE DATA FROM THE DATABASE. . . . * GENERATE THE XML VALIDATES OUTPUT AND ENCODING. XML GENERATE DOC FROM GREET COUNT IN DOC-LENGTH ON EXCEPTION DISPLAY 'ERROR IN GENERATE XML:’ XML-CODE NAMESPACE IS NSPACE NAMESPACE-PREFIX IS NPREFIX END-XML. STOP RUN.

Fixed Code Sample

PROGRAM-ID. OUTPUTENC. DATA DIVISION. WORKING-STORAGE SECTION. 01 GREET. 02 NAME PIC X(20). 02 EMP PIC 9(12). 05 GREETMSG PIC X(80) VALUE 'Hello !!'. 01 DOC PIC X(512). 01 DOC-LENGTH PIC 9(05) * NAMESPACE AND PREFIX. 01 NSPACE PIC X(20) VALUE 'http://example'. 01 NPREFIX PIC X(5) VALUE 'pre'. . . . * SQL QUERY RETRIEVE AND VALIDATE DATA FROM THE DATABASE. . . . * GENERATE THE XML VALIDATES OUTPUT AND ENCODING. XML GENERATE DOC FROM GREET COUNT IN DOC-LENGTH ON EXCEPTION DISPLAY 'ERROR IN GENERATE XML:’ XML-CODE WITH ENCODING 1208 NAMESPACE IS NSPACE NAMESPACE-PREFIX IS NPREFIX END-XML. STOP RUN.

Reference

https://www.ibm.com/support/knowledgecenter/SS6SG3_4.2.0/com.ibm.entcobol.doc_4.2/PGandLR/tasks/tpxgn02.htm c https://books.google.tn/books?id=E1PAAgAAQBAJ&pg=PA150&lpg=PA150&dq=cobol+xml+generate++specify+the+CCSID+of+the+generated+XML+document.&source=bl&ots=zPd1t5v0xB&sig=ACfU3U28-8e4bn3POwTUFv4Q9wJi98hWpQ&hl=en&sa=X&ved=2ahUKEwiO56P7rYXnAhUCTBoKHcXKC0IQ6AEwA3oECAkQAQ#v=onepage&q&f=false

Related Technologies

Health Factor

Changeability

Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Insurance

100.00%

Select from drop-down

100.00%

Want more stats? Register now!