Rule Definition
URLs constructed without validating and using the same data, this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. The most dangerous web application vulnerabilty is known as cross-site scripting (XSS). It is caused by malicious script echoed back into HTML returned from a trusted site, and runs under trusted context.

Remediation
Use authorized sanitization methods. To avoid the creation of XSS flaws, the Open Web Application Security Project (OWASP) recommends both input validation and "strong output encoding" or sanitization: "Strong output encoding. Ensure that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the Microsoft Anti-XSS library or any valid sanitization libraries. Also, set the character encodings for each page you output, which will reduce exposure to some variants."

Violation Code Sample

JSP Example: JSP code segment reads an employee ID, eid, from an API request and displays it to the user.

...
...
Employee ID: <%= eid %>
...
....

Fixed Code Sample

JSP Example:
... // Input validation is mandatory (Use Authorized Santization on eid) 
Employee ID: <%= eid %>

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') https://cwe.mitre.org/data/definitions/79.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) CISQ rule: ASCSM-CWE-79.