How to fix checkmarx reflected XSS attack in JSP page?

Question

In the below JSP page Checkmax shows a Reflected XSS attack as I am using ${pageContext.reqest.contextPath} variable in JavaScript source. I have tried using

<script type="text/javascript" src=" <c:url value="${pageContext.request.contextPath}/js/viewone.js" />">  

but it did not work.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "https://www.w3.org/TR/html4/loose.dtd">
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" 
   pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html>
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
      <title>jsp page</title>
      <script type="text/javascript" src="${pageContext.reqest.contextPath}/js/viewone.js"></script>
   </head>
   <body>
      <h3>all contents goes here </h3>
      <br>
   </body>
</html>

Answer 1

In your case, I think it's a CheckMarx false positive since request.contextPath is not user input. Anyway, if you have to fix it, my experience is that you have to escape the pageContext.reqest.contextPath with some libraries/method which CheckMarx "recognize".

For example in my case, I used StringEscapeUtils.escapeHtml and CheckMarx is happy with that. Just make sure that you don't have any html entity in your pageContext.reqest.contextPath, like "&", ">", ...

Answer 2

If you use EL expression like ${something} it writes to the response out directly and without escaping. Doesn't matter what is inside the brackets even if you use any escaping utils to protect the content. For this purpose you can use <c:out> tag, it escapes XSS content before it's written to the response.

But in you case it's not necessary because <c:url> adds context path to the resulting URL on their own. You can just remove ${pageContext.request.contextPath}.

<script type="text/javascript" src="<c:url value='/js/viewone.js'/>">