CRITICAL
Rule Definition
The most dangerous web application vulnerabilty is known as cross-site scripting (XSS). It is caused by malicious script echoed back into HTML returned from a trusted site, and runs under trusted context.
To avoid the creation of XSS flaws, the Open Web Application Security Project (OWASP) recommends both input validation and "strong output encoding" or sanitization :
"Strong output encoding. Ensure that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the Microsoft Anti-XSS library, and the forthcoming OWASP PHP Anti-XSS library. Also, set the character encodings for each page you output, which will reduce exposure to some variants."
This metric ensures that the appropriate output encoding (sanitization) is coded, as close as possible to user input method call, making security checking easier for all team members
Remediation
Code the appropriate sanitization methods as close as possible to the user input method call.
Violation Code Sample
Sample 1
<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>
Sample 2
<%
protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;
%>
<p><asp:label id="EmployeeID" runat="server" /></p>
Fixed Code Sample
Sample 1
<% String eid = request.getParameter("eid"); %>
...
//include validation code
Employee ID: <%= eid %>
Sample 2:
<%
protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;
%>
//Include validation methods
<p><asp:label id="EmployeeID" runat="server" /></p>
Reference
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Top_10_2007
CISQ rule: ASCSM-CWE-79.
Related Technologies
.Net
JEE
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.