Skills
skills/developerscoffee/java-cwe-security-skills/cwe-79-xss

cwe-79-xss

SKILL.md

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS)

Description

Improper Neutralization of Input During Web Page Generation (XSS)

Reference: https://cwe.mitre.org/data/definitions/79.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1

    public ResponseEntity<String> getVulnerablePayloadLevel1(
            @RequestParam Map<String, String> queryParams) {
        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
        StringBuilder payload = new StringBuilder();
        for (Map.Entry<String, String> map : queryParams.entrySet()) {
            payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
        }
        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
    }

❌ Example 2

    public ResponseEntity<String> getVulnerablePayloadLevel2(
            @RequestParam Map<String, String> queryParams) {
        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
        StringBuilder payload = new StringBuilder();
        Pattern pattern = Pattern.compile("[<]+[(script)(img)(a)]+.*[>]+");
        for (Map.Entry<String, String> map : queryParams.entrySet()) {
            Matcher matcher = pattern.matcher(map.getValue());
            if (!matcher.find()) {
                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
            }
        }
        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
    }

Deterministic Fix

✅ Secure Implementation

    public ResponseEntity<String> getVulnerablePayloadLevel3(
            @RequestParam Map<String, String> queryParams) {
        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
        StringBuilder payload = new StringBuilder();
        Pattern pattern = Pattern.compile("[<]+[(script)(img)(a)]+.*[>]+");
        for (Map.Entry<String, String> map : queryParams.entrySet()) {
            Matcher matcher = pattern.matcher(map.getValue());
            if (!matcher.find()
                    && !map.getValue().contains("alert")
                    && !map.getValue().contains("javascript")) {
                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
            }
        }
        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
    }

✅ Secure Implementation

    public ResponseEntity<String> getVulnerablePayloadLevel3(
            @RequestParam Map<String, String> queryParams) {
        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
        StringBuilder payload = new StringBuilder();
        Pattern pattern = Pattern.compile("[<]+[(script)(img)(a)]+.*[>]+");
        for (Map.Entry<String, String> map : queryParams.entrySet()) {
            Matcher matcher = pattern.matcher(map.getValue());
            if (!matcher.find()
                    && !map.getValue().contains("alert")
                    && !map.getValue().contains("javascript")) {
                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
            }
        }
        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
    }

Detection Pattern

Look for these patterns in your codebase:

# Find response body with user input
grep -rn "ResponseEntity" --include="*.java" | grep -E "getParameter|queryParams"

# Find String.format in responses
grep -rn "String.format.*%s" --include="*.java" | grep -i response

Remediation Steps

  1. Identify where user input is rendered in HTML output

  2. Apply context-appropriate encoding (HTML, JavaScript, URL)

  3. Use StringEscapeUtils.escapeHtml4() for HTML context

  4. Use HtmlUtils.htmlEscapeHex() for additional security

  5. Implement Content-Security-Policy headers

Key Imports


import org.apache.commons.text.StringEscapeUtils;

import org.springframework.web.util.HtmlUtils;

Verification

After remediation:

  • Re-run SAST scan - CWE-79 should be resolved

  • Test with XSS payloads: alert(1)

  • Verify special chars are encoded: < becomes <

Trigger Examples

Fix CWE-79 vulnerability
Resolve Improper Neutralization of Input During Web Page Generation (XSS) issue
Secure this Java code against improper neutralization of input during web page generation (xss)
SAST reports CWE-79

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | Direct HTML response |

| View | *.html, *.jsp | Unescaped ${} or <%= %> |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1